Question

Creating a site-to-site IPSec tunnel between Digital Ocean and Unifi router

I’m having some trouble trying to establish a site-to-site IPSec tunnel between a Ubuntu 22.04 LTS droplet with StrongSwan and my Unifi USG.

The VPN is able to successfully connect, but I’m unable to pass traffic through in either direction - running show vpn ipsec sa on the USG shows packets out, but no packets in and running ip -s xfrm state on the droplet also shows packet out, but no packets in.

On the Unifi side, I’ve created an IPSec VPN with the following details:

  • Key Exchange: IKEv2
  • Encryption: AEC-256
  • Hash: SHA1
  • DH Group: 14
  • Perfect Forward Secrecy: Yes
  • Route-Based VPN: Yes
  • Route Distance: 30

On the Unifi side, I’m basing it off this tutorial on the StrongSwan website.

At this point, it’s hard to tell whether my issue is on the Digital Ocean side or on the Unifi side. I’m inclined to think it’s the Digital Ocean side because I’ve got other successful VPN’s connected to my Unifi router (I’ve previously gotten an Azure VPN connected and I’ve currently got a VPN with Oracle cloud active).

So I did some research and came across this article, which says that DO will only drop incoming packets if the origin is spoofed.

Unfortunately, my knowledge of networking is somewhat limited and I’m not sure how I can verify if the origin is being spoofed (as presumably this happens above the droplet).

I asked a similar question on Reddit and they wondered if the issue was due to the fact that eth0 has two IP addresses (public and private). I thought I’d be able to work around that by using a vti interface, but no luck yet.

I’ve also tried TCPdumps on both ends. On the USG I was running sudo tcpdump -npi vti65, and on the droplet I was running sudo tcpdump -npi vti0. I’d go to the opposite device and try and ping the other. The ping would result in 100% packet loss and tcpdump would return 0 packets captured/received/dropped.

Running IP Route doesn’t show any irregularities either:

  • On the USG I had 192.168.1.0/24 dev vti0 scope link
  • On the droplet I had 192.168.254.0/24 dev vti65 proto zebra scope link

UFW is inactive and IPTables are configured to accept everything

What am I missing, I’m sure it’s something obvious!

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up