We are running Ubuntu 16.04, clean install with latest StrongSWAN. We are creating a IPSEC tunnel between AWS and the droplet. The tunnel is up however we cannot connect to any ports on any AWS servers from the DO droplet.

We verified no firewall rules on the AWS side and no firewall or ufw enabled on the DO side. This same scenario with AWS on one side and hardware VPN's on the other is working, it seems something specific to either the StrongSWAN config or DO infrastructure.

Here is the VPN status:

Security Associations (1 up, 0 connecting):
Tunnel1[1]: ESTABLISHED 26 seconds ago, 162.243.5.4[162.243.5.4]...52.72.253.197[52.72.253.197]
Tunnel1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c849a6e6i d4644947o
Tunnel1{1}: 0.0.0.0/0 === 0.0.0.0/0

VPN Config:

config setup
# strictcrlpolicy=yes
uniqueids = no

conn Tunnel1
auto=start
left=%defaultroute
leftid=162.243.5.4
right=52.72.253.197
type=tunnel
leftauth=psk
rightauth=psk
keyexchange=ikev1
ike=aes128-sha1-modp1024
ikelifetime=8h
esp=aes128-sha1-modp1024
lifetime=1h
keyingtries=%forever
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
mark=100

We have gone down so many paths to try to determine what is going on from the CIDR being too close to the DO Private IP to outdated StrongSWAN files. Any help is greatly appreciated. There must be something incredibly obvious we missed even though we have had 4 pairs of eyes on it for two days.