Question

Site to site IPSec tunnel between Digital Ocean droplet and Unifi

I’d like to get a site-to-site tunnel established between my home network (with a Unifi router) and a couple of digital ocean droplets. I initially followed this tutorial and eventually deviated a little bit and ended up using the documentation on the StrongSwan website.

The good news is, I’ve got a working connection, as evident by this connection output:

[IKE] initiating IKE_SA homeconnection[1] to @homeIP
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from @dropletIP[500] to @homeIP[500] (464 bytes)
[NET] received packet: from @homeIP[500] to @dropletIP[500] (440 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '@dropletIP' (myself) with pre-shared key
[IKE] establishing CHILD_SA homeconnection{2}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from @dropletIP[500] to @homeIP[500] (380 bytes)
[NET] received packet: from @homeIP[500] to @dropletIP[500] (316 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '@homeIP' with pre-shared key successful
[IKE] IKE_SA homeconnection[1] established between @dropletIP[@dropletIP]...@homeIP[@homeIP]
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
[IKE] CHILD_SA homeconnection{2} established with SPIs ca94b878_i ce0f8e0a_o and TS 192.168.90.0/24 === 192.168.1.0/24
initiate completed successfully

But I’m unable to send any traffic through the tunnel (in either direction). To test this, I installed nginx on the droplet and I’ve confirmed that I can access the start part if I use the public IP address, but the request times out when I try and use the VPC internal address on eth0.

Pinging in either direction also fails with 100% packet loss.

To keep things simple, UFW is disabled on the droplet, and I’ve got an allow all rule on the firewall for my home IP.

Someone else I was talking to speculated that the issue might have been cause by the fact that eth0 has two IP addresses attached to it (the public IPv4 and the internal IPv4 used for floating IP’s), but wasn’t able to offer any more advice as they weren’t familiar with Digital Oceans environment.


Submit an answer
Answer a question...

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer