IPSec: can't ping droplets in DO private network after IPSec tunnel is up

I’ve configured an IPSec tunnel between my droplet in DO and the network of one of my clients.

All seems is working ok, but when the tunnel is up I’m not able to ping other droplets private IP (, same datacenter):

Routing table doesn’t change doens’t matter the tunnel is up or down:

default via dev eth0 proto static dev eth0 proto kernel scope link src dev eth1 proto kernel scope link src dev Tunnel1 proto kernel scope link src dev Tunnel1 scope link metric 100 dev eth0 proto kernel scope link src 

Tunnel down (ping and traceroute ok):

traceroute to (, 30 hops max, 60 byte packets
1 (  1.872 ms  1.836 ms *

Tunnel up (cant’t ping DO private network, traceroute shows the route changed)

sudo ipsec start

sudo ipsec status

Security Associations (1 up, 0 connecting):
    Tunnel1[1]: ESTABLISHED 48 minutes ago,[]...[]
    Tunnel1{1}:  REKEYED, TUNNEL, reqid 1, expires in 11 minutes
    Tunnel1{1}: ===
    Tunnel1{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c55c34c7_i c6781168_o
    Tunnel1{2}: ===

traceroute to (, 30 hops max, 60 byte packets
1  * * *
2 (  10.901 ms (  1.208 ms (  1.449 ms
3 (  1.418 ms (  1.566 ms (  1.514 ms
4  * * *

This is my IPSec config:

config setup
    uniqueids = no

conn Tunnel1

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Using Strongswan to connect to two VPCs within DigitalOcean. If I use the Digital Ocean droplet firewall it blocks ping traffic between two droplets, one in each VPC - even when I leave the firewall completely open (TCP/UDP/ICMP allowed from all addresses in both directions). When I drop the DO firewall it works - I can leave the UFW on.

Trying to figure out what the DO firewall is doing.

Did you figure this out?