Question

IPSec VPN between DO Droplet and other (trusted) provider

Hi!

I have a requirement to set up IPsec VPN between my company’s droplet and a network owned by partner company that uses another provider. Tooling:

  • Debian (my droplet) with IP e.g 169.22.231.13 and local address e.g 10.22.0.50
  • IPsec-Tools & Racoon
  • Tunnel
  • ESP

I’ve created a test environment in order to try out the tooling and feasibility of the task, consisting of 2 Droplets that I managed to connect according to the points above, and managed to achieve what I wanted (while testing with my own droplets).

Onto the real case - here’s the description of the remote server (owned by the partner company):

  • entry point has a firewall (my droplet is white-listed) - e.g public IP 153.132.142.123
  • service running on my droplet needs to connect to a service behind this public IP, e.g internal IP 10.100.232.11

I have managed to set up a VPN tunnel between my droplet and the remote network, according to:

  • racoonctl show-sa ipsec showing both in and out directions of the tunnel, with esp mode=tunnel and state=mature
  • racoonctl -l show-sa isakmp is showing correct destination and Phase 2 = 1
  • also, logs are reporting that connection is successfully made

However, when I try to ping the 10.100.232.11 address, it hangs, and when partner service pings my internal IP (that I mapped in Security Association Database) they tell me this IP is unreachable.

I have following suspicions:

  • my and/or partner networks are using NAT, while we both configured our VPNs with NAT Traversal = OFF;
  • DigitalOcean does not allow IPsec VPNs to other providers, due to some internal networking rules to protect our droplets

Can someone point me in the right direction? I would be most grateful to whomever could share some knowledge on this topic with me.

Thanks & Regards

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Greetings!

I don’t use IPSec myself (I tend to use GRE tunnels), but I have a couple of theories that might at least help.

  1. You might try a different internal range to make sure you don’t cross paths with our anchor (for floating IPs) or private networking ranges. What about a 192.168 range? We never use that range for anything we do, but we do have those two things that will operate within subsets of 10.0.0.0/8.

  2. When the packets pass through they should have the public IP as the source in the header. Otherwise we’ll consider it to be spoofed and drop it whether coming in or going out.

Hope that helps a bit!

Jarland