IPSec VPN between DO Droplet and other (trusted) provider
I have a requirement to set up IPsec VPN between my company’s droplet and a network owned by partner company that uses another provider.
- Debian (my droplet) with IP e.g
126.96.36.199and local address e.g
- IPsec-Tools & Racoon
I’ve created a test environment in order to try out the tooling and feasibility of the task, consisting of 2 Droplets that I managed to connect according to the points above, and managed to achieve what I wanted (while testing with my own droplets).
Onto the real case - here’s the description of the remote server (owned by the partner company):
- entry point has a firewall (my droplet is white-listed) - e.g public IP
- service running on my droplet needs to connect to a service behind this public IP, e.g internal IP
I have managed to set up a VPN tunnel between my droplet and the remote network, according to:
racoonctl show-sa ipsecshowing both in and out directions of the tunnel, with
racoonctl -l show-sa isakmpis showing correct destination and
Phase 2 = 1
- also, logs are reporting that connection is successfully made
However, when I try to ping the
10.100.232.11 address, it hangs, and when partner service pings my internal IP (that I mapped in Security Association Database) they tell me this IP is unreachable.
I have following suspicions:
- my and/or partner networks are using
NAT, while we both configured our VPNs with
NAT Traversal = OFF;
- DigitalOcean does not allow IPsec VPNs to other providers, due to some internal networking rules to protect our droplets
Can someone point me in the right direction? I would be most grateful to whomever could share some knowledge on this topic with me.
Thanks & Regards
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.