Question
IPSec VPN between DO Droplet and other (trusted) provider
Hi!
I have a requirement to set up IPsec VPN between my company’s droplet and a network owned by partner company that uses another provider.
Tooling:
- Debian (my droplet) with IP e.g
169.22.231.13
and local address e.g10.22.0.50
- IPsec-Tools & Racoon
- Tunnel
- ESP
I’ve created a test environment in order to try out the tooling and feasibility of the task, consisting of 2 Droplets that I managed to connect according to the points above, and managed to achieve what I wanted (while testing with my own droplets).
Onto the real case - here’s the description of the remote server (owned by the partner company):
- entry point has a firewall (my droplet is white-listed) - e.g public IP
153.132.142.123
- service running on my droplet needs to connect to a service behind this public IP, e.g internal IP
10.100.232.11
I have managed to set up a VPN tunnel between my droplet and the remote network, according to:
racoonctl show-sa ipsec
showing both in and out directions of the tunnel, withesp mode=tunnel
andstate=mature
racoonctl -l show-sa isakmp
is showing correct destination andPhase 2 = 1
- also, logs are reporting that connection is successfully made
However, when I try to ping the 10.100.232.11
address, it hangs, and when partner service pings my internal IP (that I mapped in Security Association Database) they tell me this IP is unreachable.
I have following suspicions:
- my and/or partner networks are using
NAT
, while we both configured our VPNs withNAT Traversal = OFF
; - DigitalOcean does not allow IPsec VPNs to other providers, due to some internal networking rules to protect our droplets
Can someone point me in the right direction? I would be most grateful to whomever could share some knowledge on this topic with me.
Thanks & Regards
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×