[Swan] Can't route back down ipsec tunnel from VPS

Paul Wouters paul at nohats.ca
Fri Jan 2 20:57:35 EET 2015

On Wed, 3 Dec 2014, Darren Share wrote:

late reply, message was lost in the inbox.....

> FYI, I have also posted this on Server Fault. I am trying to establish an ipsec VPN from a Draytek router on the edge of our corporate
> network to a VPS on Digital Ocean. I've set up the VPN on the VPS using this script -
> https://github.com/philplckthun/setup-simple-ipsec-l2tp-vpn - on an Ubuntu 14.04 machine. I believe the script downloads and installs

That seems to be for L2TP/IPsec, not plain IPsec.

> conn vpnpsk
>  connaddrfamily=ipv4
>  auto=add
>  left=
> #  leftid=
> #  leftsubnet=
>  leftsubnet=
> #  leftnexthop=%defaultroute
>  leftnexthop=%direct
>  leftprotoport=17/1701
>  rightprotoport=17/%any
> #  right=%any
>  right=
>  rightsourceip=
>  leftsourceip=
> #  rightsubnetwithin=

You seem to mean to build a net-to-net from to ?

Your "right" should be the actual public IP of the server on that end,
of if responding only (because the other end is behind NAT) %any.
rightsubnet= should contain instead.

You should NOT configure left/rightprotoport because that's for
transport mode host-to-host L2TP/IPsec only!

You should also not need leftnexthop=%direct or rightsourceip=

>  forceencaps=yes
>  authby=secret
>  pfs=no

better to do pfs=yes if possible.

>  type=transport

and you will need type=tunnel


More information about the Swan mailing list