DigitalOcean

Report this

What is the reason for this report?
Question

Site to site IPSec tunnel between Digital Ocean droplet and Unifi

Posted on December 10, 2022
VPN
Networking
garionw

By garionw

I’d like to get a site-to-site tunnel established between my home network (with a Unifi router) and a couple of digital ocean droplets. I initially followed this tutorial and eventually deviated a little bit and ended up using the documentation on the StrongSwan website.

The good news is, I’ve got a working connection, as evident by this connection output:

[IKE] initiating IKE_SA homeconnection[1] to @homeIP
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from @dropletIP[500] to @homeIP[500] (464 bytes)
[NET] received packet: from @homeIP[500] to @dropletIP[500] (440 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '@dropletIP' (myself) with pre-shared key
[IKE] establishing CHILD_SA homeconnection{2}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from @dropletIP[500] to @homeIP[500] (380 bytes)
[NET] received packet: from @homeIP[500] to @dropletIP[500] (316 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '@homeIP' with pre-shared key successful
[IKE] IKE_SA homeconnection[1] established between @dropletIP[@dropletIP]...@homeIP[@homeIP]
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
[IKE] CHILD_SA homeconnection{2} established with SPIs ca94b878_i ce0f8e0a_o and TS 192.168.90.0/24 === 192.168.1.0/24
initiate completed successfully

But I’m unable to send any traffic through the tunnel (in either direction). To test this, I installed nginx on the droplet and I’ve confirmed that I can access the start part if I use the public IP address, but the request times out when I try and use the VPC internal address on eth0.

Pinging in either direction also fails with 100% packet loss.

To keep things simple, UFW is disabled on the droplet, and I’ve got an allow all rule on the firewall for my home IP.

Someone else I was talking to speculated that the issue might have been cause by the fact that eth0 has two IP addresses attached to it (the public IPv4 and the internal IPv4 used for floating IP’s), but wasn’t able to offer any more advice as they weren’t familiar with Digital Oceans environment.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
alexdo
alexdo
October 18, 2023

Heya,

There could be various reasons for this issue. I’ll outline some common troubleshooting steps to help you identify and resolve the problem.

  1. Check IP Addressing:
  • Ensure that the IP address and subnet configurations on both ends of the VPN match the expected settings. This includes the internal IP address ranges and the subnet masks.
  1. Routing Configuration:
  • Make sure that the routing is properly set up on both the Unifi router and the DigitalOcean droplet. You need to add routes that direct traffic for the remote subnet through the VPN tunnel.
  1. Firewall Rules:
  • On the DigitalOcean droplet, double-check the firewall rules and security group settings to ensure that the VPN traffic is allowed. Since you’ve disabled UFW and have an “allow all” rule, this should not be a problem, but it’s still worth verifying.
  1. NAT Traversal (NAT-T):
  • If your Unifi router or any device in your home network is behind a NAT device, make sure that NAT traversal (NAT-T) is enabled. NAT-T is required for VPN traffic to traverse NAT gateways.
  1. Security Associations (SA):
  • Ensure that the security associations are correctly established on both sides. You can use the ipsec status or ip xfrm state command to check the active SAs. Confirm that the traffic selectors are set correctly.
  1. IP Forwarding:
  • On the DigitalOcean droplet, ensure that IP forwarding is enabled. You can do this by running the following command:
  1. sysctl net.ipv4.ip_forward

If it returns “0,” you need to enable IP forwarding by modifying /etc/sysctl.conf and setting net.ipv4.ip_forward = 1.

  1. Source and Destination Address Configuration:
  • Verify that the applications or services you are trying to access through the VPN are correctly configured to listen to the internal IP addresses and that you are attempting to access them using the appropriate internal IP addresses.
  1. Security Group and Firewall Whitelist:
  • Ensure that there are no additional firewall rules or security group settings on your DigitalOcean droplet that might block the traffic. Double-check both the server’s firewall and the DigitalOcean control panel for any potential restrictions.
  1. Troubleshoot Connectivity Step by Step:
  • Start with basic connectivity tests. Ping from one end to the other, and then run more specific tests (e.g., trying to access a specific service). This can help you pinpoint where the traffic is failing.
  1. Logs and Diagnostics:
  • Review the log files on both the Unifi router and the DigitalOcean droplet for any error messages or warnings that might indicate what’s causing the issue.
  1. Double-Check Network Interfaces:
  • Regarding your concern about the DigitalOcean droplet having two IP addresses on its eth0 interface, this shouldn’t be an issue as long as your VPN is configured to use the correct internal IP address.
  1. Debugging Tools:

You can use tools like tcpdump or Wireshark to capture and analyze traffic on both ends to help identify where the traffic might be getting blocked or dropped.

If you continue to experience issues after going through these steps, it might be helpful to provide more specific information about your configuration, any relevant log entries, or any error messages you encounter, as this can assist in diagnosing the problem more accurately.

Hope that this helps!

0
Joshua
Joshua
November 27, 2024

Should this still be an issue for you, I ran into the same problem. It was due to the cloud firewall (via Digital Ocean) not passing through ESP packets.

In other words, disable cloud firewall for the droplet, use the software firewall of the OS and expose it directly to the internet. Alternatively you can use nat traversal to encapsulate the ESP packet into UDP if you want to spend more time on it.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.