DigitalOcean

Report this

What is the reason for this report?
Question

IPSec VPN between DO Droplet and other (trusted) provider

Posted on January 28, 2019
Debian 9
VPN
Debian
Networking
rdjurdjevic

By rdjurdjevic

Hi!

I have a requirement to set up IPsec VPN between my company’s droplet and a network owned by partner company that uses another provider. Tooling:

  • Debian (my droplet) with IP e.g 169.22.231.13 and local address e.g 10.22.0.50
  • IPsec-Tools & Racoon
  • Tunnel
  • ESP

I’ve created a test environment in order to try out the tooling and feasibility of the task, consisting of 2 Droplets that I managed to connect according to the points above, and managed to achieve what I wanted (while testing with my own droplets).

Onto the real case - here’s the description of the remote server (owned by the partner company):

  • entry point has a firewall (my droplet is white-listed) - e.g public IP 153.132.142.123
  • service running on my droplet needs to connect to a service behind this public IP, e.g internal IP 10.100.232.11

I have managed to set up a VPN tunnel between my droplet and the remote network, according to:

  • racoonctl show-sa ipsec showing both in and out directions of the tunnel, with esp mode=tunnel and state=mature
  • racoonctl -l show-sa isakmp is showing correct destination and Phase 2 = 1
  • also, logs are reporting that connection is successfully made

However, when I try to ping the 10.100.232.11 address, it hangs, and when partner service pings my internal IP (that I mapped in Security Association Database) they tell me this IP is unreachable.

I have following suspicions:

  • my and/or partner networks are using NAT, while we both configured our VPNs with NAT Traversal = OFF;
  • DigitalOcean does not allow IPsec VPNs to other providers, due to some internal networking rules to protect our droplets

Can someone point me in the right direction? I would be most grateful to whomever could share some knowledge on this topic with me.

Thanks & Regards



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
jarland
jarlandDigitalOcean Employee badge
January 28, 2019

Greetings!

I don’t use IPSec myself (I tend to use GRE tunnels), but I have a couple of theories that might at least help.

  1. You might try a different internal range to make sure you don’t cross paths with our anchor (for floating IPs) or private networking ranges. What about a 192.168 range? We never use that range for anything we do, but we do have those two things that will operate within subsets of 10.0.0.0/8.

  2. When the packets pass through they should have the public IP as the source in the header. Otherwise we’ll consider it to be spoofed and drop it whether coming in or going out.

Hope that helps a bit!

Jarland

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.