How to create split vpn server on CentOS 7 linux

In this article we show you how to create split vpn server on CentOS 7 linux.

In split vpn type, we only want to reach one or more remote subnets. so we do not “send all traffic through the VPN”.

Here is our environment:

OS: CentOS 7 linux on VMware
Firewall: firewalld
SElinux: enforcing
VPN server IP address:
VPN server internal address:
VPN client IP address:
Isolated host:

1- Install prerequistites

Refer to this article to install L2TP and ipsec packages and configure them: How to install IPSEC IKEv2 vpn server on CentOS 7 linux

When you reach to step 4 in mentioned article continue as the following.

2- Create Configuration

put the following content in /etc/ipsec.d/ike.conf:
# vim /etc/ipsec.d/ike.conf

conn ike
        [email protected]

Note: remember to change left= with your own IP address.
Note1: Mind SPACES in above configuration
In above configuration, we have indicated leftsubnet, this is the subnet that our client will have access to.
so the easiest way to ensure our client can access remote subnet is to set dhcp pool range regarding this subnet.
Here we want to access as remote subnet and we have set as our dhcp pool subnet.
Also we have to enable proxyarp on server internal interface related to subnet
if you want to know more about proxyarp refer to
so put below line in /etc/sysctl.conf:

# eth1 is the internal interface with a 10.10.X.Y/16 IP address


Note: Remember to change eth1 with your own INTERNAL interface.
and make it permanent by issuing:
# sysctl -p

5- Start IPsec Service

now we start ipsec service and check if it has started properly:

# systemctl enable ipsec
# systemctl start ipsec
# systemctl status ipsec

5- Configure firewall

Here we use firewalld service. we need to allow ipsec, forward internal l2tpc ip range traffic to internet interface and do NAT:

# firewall-cmd --permanent --zone=public --add-masquerade
# firewall-cmd --permanent --add-rich-rule='rule protocol value="esp" accept'
# firewall-cmd --permanent --add-rich-rule='rule protocol value="ah" accept'
# firewall-cmd --permanent --add-port=500/udp 
# firewall-cmd --permanent --add-port=4500/udp 
# firewall-cmd --permanent --add-service="ipsec"
# firewall-cmd --reload

if you use CSF, create a file named /etc/CSF/ and put these lines in it:

# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -s -j ACCEPT
# iptables -t nat -A POSTROUTING -s -o eno16777728 -j MASQUERADE

then reload CSF.
if you use iptables, just run above command and then save changes with iptables-save.
Note: remember to change eno16777728 with your own interface name

6- Configure SElinux

we prefer to keep selinux enabled. so to allow bringing up vpn interfaces, we should run the following command:

# setsebool -P daemons_use_tty 1

if you have disabled selinux, simply skip above command.