Does DO Firewall support IP Protocol 50 (ESP)?

The first answer to the question is faulty: Port 50 (UDP/TCP) is NOT the same as ESP Protocol 50. To allow for IPSec passthrough, the DigitalOcean Cloud Firewalls would need to support ESP Protocol 50 - which they don’t.

It is an important feature of any firewall, to allow for setting up point-to-point IPSec between two servers, and DigitalOcean should have implemented this a long time ago in my view. It’s a little embarrassing for them to not offer this feature in 2020.

If you feel the same, and want to vote for this to be supported, please vote for this idea ticket: https://ideas.digitalocean.com/ideas/DO-I-2955

Hi @milesich,

You can open any port you wish and use it to your needs. In your case to open ports 50 and 51, you’ll need to execute the following commands:

• If you are using UFW, you can execute

sudo ufw allow 50
sudo ufw allow 51

• If you are using only IPtables, you can execute

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 50 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 51 -j ACCEPT

All of the provided commands will help you with openning the port and allowing traffic. It’s possible however, you wish to enable traffic only for a certain IP address. In that case, you’ll need to modify your commands a bid.

• UFW example with allowing IP access on a certain port

sudo ufw allow from XXX.XXX.XXX.XXX to any port 50
sudo ufw allow from XXX.XXX.XXX.XXX to any port 51

• Iptables example with allowing IP access on a certain port

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d XXX.XXX.XXX.XXX --dport 50 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d XXX.XXX.XXX.XXX --dport 51 -m state --state NEW,ESTABLISHED -j ACCEPT

Please remember to change XXX.XXX.XXX.XXX in any of the commands with your own IP address.

Reards, KDSys