Hi!

I have a requirement to set up IPsec VPN between my company’s droplet and a network owned by partner company that uses another provider.
Tooling:

• Debian (my droplet) with IP e.g 169.22.231.13 and local address e.g 10.22.0.50
• IPsec-Tools & Racoon
• Tunnel
• ESP

I’ve created a test environment in order to try out the tooling and feasibility of the task, consisting of 2 Droplets that I managed to connect according to the points above, and managed to achieve what I wanted (while testing with my own droplets).

Onto the real case - here’s the description of the remote server (owned by the partner company):

• entry point has a firewall (my droplet is white-listed) - e.g public IP 153.132.142.123
• service running on my droplet needs to connect to a service behind this public IP, e.g internal IP 10.100.232.11

I have managed to set up a VPN tunnel between my droplet and the remote network, according to:

• racoonctl show-sa ipsec showing both in and out directions of the tunnel, with esp mode=tunnel and state=mature
• racoonctl -l show-sa isakmp is showing correct destination and Phase 2 = 1
• also, logs are reporting that connection is successfully made

However, when I try to ping the 10.100.232.11 address, it hangs, and when partner service pings my internal IP (that I mapped in Security Association Database) they tell me this IP is unreachable.

I have following suspicions:

• my and/or partner networks are using NAT, while we both configured our VPNs with NAT Traversal = OFF;
• DigitalOcean does not allow IPsec VPNs to other providers, due to some internal networking rules to protect our droplets

Can someone point me in the right direction? I would be most grateful to whomever could share some knowledge on this topic with me.

Thanks & Regards