Question

Site to site IPSec tunnel between Digital Ocean droplet and Unifi

I’d like to get a site-to-site tunnel established between my home network (with a Unifi router) and a couple of digital ocean droplets. I initially followed this tutorial and eventually deviated a little bit and ended up using the documentation on the StrongSwan website.

The good news is, I’ve got a working connection, as evident by this connection output:

[IKE] initiating IKE_SA homeconnection[1] to @homeIP
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from @dropletIP[500] to @homeIP[500] (464 bytes)
[NET] received packet: from @homeIP[500] to @dropletIP[500] (440 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '@dropletIP' (myself) with pre-shared key
[IKE] establishing CHILD_SA homeconnection{2}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from @dropletIP[500] to @homeIP[500] (380 bytes)
[NET] received packet: from @homeIP[500] to @dropletIP[500] (316 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of '@homeIP' with pre-shared key successful
[IKE] IKE_SA homeconnection[1] established between @dropletIP[@dropletIP]...@homeIP[@homeIP]
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
[IKE] CHILD_SA homeconnection{2} established with SPIs ca94b878_i ce0f8e0a_o and TS 192.168.90.0/24 === 192.168.1.0/24
initiate completed successfully

But I’m unable to send any traffic through the tunnel (in either direction). To test this, I installed nginx on the droplet and I’ve confirmed that I can access the start part if I use the public IP address, but the request times out when I try and use the VPC internal address on eth0.

Pinging in either direction also fails with 100% packet loss.

To keep things simple, UFW is disabled on the droplet, and I’ve got an allow all rule on the firewall for my home IP.

Someone else I was talking to speculated that the issue might have been cause by the fact that eth0 has two IP addresses attached to it (the public IPv4 and the internal IPv4 used for floating IP’s), but wasn’t able to offer any more advice as they weren’t familiar with Digital Oceans environment.


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

card icon
Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Sign up
card icon
Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.

Learn more
card icon
Become a contributor

You get paid; we donate to tech nonprofits.

Learn more
Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow – whether you’re running one virtual machine or ten thousand.

Learn more ->
DigitalOcean Cloud Control Panel
Get started for free

Enter your email to get $200 in credit for your first 60 days with DigitalOcean.

New accounts only. By submitting your email you agree to our Privacy Policy.

© 2023 DigitalOcean, LLC.