Question

IPSec: can't ping droplets in DO private network after IPSec tunnel is up

I’ve configured an IPSec tunnel between my droplet in DO and the network of one of my clients.

All seems is working ok, but when the tunnel is up I’m not able to ping other droplets private IP (10.133.121.35, same datacenter):

Routing table doesn’t change doens’t matter the tunnel is up or down:

default via 206.189.0.1 dev eth0 proto static 
10.18.0.0/16 dev eth0 proto kernel scope link src 10.18.0.27 
10.133.0.0/16 dev eth1 proto kernel scope link src 10.133.121.34 
169.254.43.16/30 dev Tunnel1 proto kernel scope link src 169.254.43.18 
172.31.0.0/16 dev Tunnel1 scope link metric 100 
206.189.0.0/20 dev eth0 proto kernel scope link src 206.189.5.144 

Tunnel down (ping and traceroute ok):

traceroute to 10.133.121.35 (10.133.121.35), 30 hops max, 60 byte packets
1  10.133.121.35 (10.133.121.35)  1.872 ms  1.836 ms *

Tunnel up (cant’t ping DO private network, traceroute shows the route changed)

sudo ipsec start

sudo ipsec status

Security Associations (1 up, 0 connecting):
    Tunnel1[1]: ESTABLISHED 48 minutes ago, 206.189.5.144[206.189.5.144]...52.209.55.24[52.209.55.24]
    Tunnel1{1}:  REKEYED, TUNNEL, reqid 1, expires in 11 minutes
    Tunnel1{1}:   0.0.0.0/0 === 0.0.0.0/0
    Tunnel1{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c55c34c7_i c6781168_o
    Tunnel1{2}:   0.0.0.0/0 === 0.0.0.0/0

traceroute to 10.133.121.35 (10.133.121.35), 30 hops max, 60 byte packets
1  * * *
2  10.82.68.63 (10.82.68.63)  10.901 ms 10.82.68.53 (10.82.68.53)  1.208 ms 10.82.68.55 (10.82.68.55)  1.449 ms
3  138.197.250.102 (138.197.250.102)  1.418 ms 138.197.250.100 (138.197.250.100)  1.566 ms 138.197.250.116 (138.197.250.116)  1.514 ms
4  * * *

This is my IPSec config:

config setup
    uniqueids = no

conn Tunnel1
    auto=start
    left=%defaultroute
    leftid=206.189.5.144
    right=52.209.55.24
    type=tunnel
    leftauth=psk
    rightauth=psk
    keyexchange=ikev1
    ike=aes128-sha1-modp1024
    ikelifetime=8h
    esp=aes128-sha1-modp1024
    lifetime=1h
    keyingtries=%forever
    leftsubnet=0.0.0.0/0
    rightsubnet=0.0.0.0/0
    dpddelay=10s
    dpdtimeout=30s
    dpdaction=restart
    mark=100

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Using Strongswan to connect to two VPCs within DigitalOcean. If I use the Digital Ocean droplet firewall it blocks ping traffic between two droplets, one in each VPC - even when I leave the firewall completely open (TCP/UDP/ICMP allowed from all addresses in both directions). When I drop the DO firewall it works - I can leave the UFW on.

Trying to figure out what the DO firewall is doing.

Did you figure this out?