DigitalOcean home
  • Droplets
  • Spaces
  • Kubernetes
  • Tools & Integrations
  • One-click Apps
  • API Documentation
  • Community
  • Tutorials
  • Q&A
  • Projects
  • Meetups
  • Customers
  • Pricing
  • Docs
  • Support
  • DigitalOcean home
  • Products
    • Droplets

      Scalable compute services.

    • Spaces

      Simple object storage.

    • Kubernetes

      Run managed Kubernetes clusters.

    • Tools & Integrations

      Automate your infrastructure.

    • One-click Apps

      Deploy pre-built applications.

    • API Documentation
  • Customers
  • Community
    • Community Overview

      Connect, share and learn

    • Tutorials

      DevOps and development guides

    • Questions & Answers

      Development and systems Q&A

    • Projects

      Community-built integrations

    Get Involved
    Write for DOnations
    Join us at a Meetup
    Featured Post
    An Introduction to Kubernetes

    by Justin Ellingwood

  • Pricing
  • Docs
  • Support
    • Documentation

    • Contact Support

    • Network Status

  • Home /
  • DO-I-2955 /
  • New idea
80 Vote

Firewall - IPSec protocols 50 and 51

Hello

Would be nice to have support for IPSec-ESP (50) and IPSec-AH (51) protocols in DigitalOcean Firewall.

Currently I have to use iptables since DO FW is limited to TCP, UDP and ICMP

  • Guest
  • Nov 30 2018
  • Future consideration
Cloud Firewalls
  • Comments (8)
  • Votes (80)
  • Attach files
  • Ladislav Gallay commented
    25 Oct, 2020 11:38pm

    Yes please!

    ×

    Attachments Open full size

  • Aubree Thomas commented
    11 Oct, 2020 03:58pm

    This is a great feature and is a good addition to this website.

    ×

    Attachments Open full size

  • Nandan Bisht commented
    11 Oct, 2020 03:55pm

    Hi I welcome to be here

    ×

    Attachments Open full size

  • Nandan Bisht commented
    11 Oct, 2020 03:54pm

    HI

    ×

    Attachments Open full size

  • Fredrik Yayabee commented
    28 Jul, 2020 09:41am

    We would very much welcome this feature. We would like to connect one of our Digital Ocean droplets to another external datacenter that we operate fully ourselves, over IPSEC point-to-point (we use Strongswan for this). Currently, this is only possible if we turn off the DigitalOcean Firewall, but this means we have to rely on UFW instead. UFW is good, but for example it allows ICMP traffic from anywhere by default, and there are some other quirks as well. We would feel much more secure with being able to have DigitalOcean Firewall that can allos IPSEC traffic (i.e. ESP packets to pass through). This should be an easy fix from DigitalOcean, and it feels very unmodern to not support this. DigitalOcean, can you PLEASE implement this, giving better security for all?

    ×

    Attachments Open full size

  • Fredrik Yayabee commented
    28 Jul, 2020 09:41am

    We would very much welcome this feature. We would like to connect one of our Digital Ocean droplets to another external datacenter that we operate fully ourselves, over IPSEC point-to-point (we use Strongswan for this). Currently, this is only possible if we turn off the DigitalOcean Firewall, but this means we have to rely on UFW instead. UFW is good, but for example it allows ICMP traffic from anywhere by default, and there are some other quirks as well. We would feel much more secure with being able to have DigitalOcean Firewall that can allos IPSEC traffic (i.e. ESP packets to pass through). This should be an easy fix from DigitalOcean, and it feels very unmodern to not support this. DigitalOcean, can you PLEASE implement this, giving better security for all?

    ×

    Attachments Open full size

  • Guest commented
    7 Jul, 2020 11:56pm

    Digital Ocean really doesn't understand what these protocols are (https://www.digitalocean.com/community/questions/does-do-firewall-support-ip-protocol-50-esp) or why someone would want to use them.

    Specifically; people that run Docker Swarm on Digital Ocean servers, who also use the Digital Ocean Cloud Firewall. The DO Cloud Firewall does not allow people to configure allow/deny rules for Protocol 50 or Protocol 51 (not ports). This is important because Docker Swarm can be run on multiple servers and the Swarm Network stack uses IPSEC tunnels on the back-end to power the mesh-network. If I want to use more than one DO server in my Docker Swarm; I need to add firewall rules for these protocols. Since the DO firewall does not support these protocols; the other option here is to expose all of my servers nakedly to the internet and rely upon iptables / UFW to do the heavy lifting and thwart a massive amount of malicious internet traffic (while being able to allow Protocol 50/51).

    I would much prefer to use multiple DO servers in my Docker Swarm and have them all protected by the DO Cloud Firewall. The tradeoff of staying on a single server inside DO vs. exposing my boxes to the raw internet right now is much in favor of security... which means: Hey Digital Ocean! I'm stuck on one box in your datacenter until you allow me to add ESP Protocol 50 & 51 rules to your Cloud Firewall.

    ×

    Attachments Open full size

  • Harish Chander commented
    17 May, 2020 07:09am

    Is there a update on this .or a ETA

    ×

    Attachments Open full size

Log in / Sign up

Identify yourself with your email address

Subscribe

You won't be notified about changes to this idea.

Related ideas

DigitalOcean home

© 2018 DigitalOcean, LLC. All rights reserved.
Proudly made in NY

  • Twitter
  • Facebook
  • Instagram
  • YouTube
  • LinkedIn
  • Glassdoor
Company
About
Leadership
Blog
Careers
Partner Network
Referral Program
Events
Press
Legal & Security
Products
Droplets
Spaces
Kubernetes
Tools & Integrations
One-click Apps
API
Pricing
Documentation
Release Notes
Community
Tutorials
Meetups
Q&A
Write for DOnations
Droplets for Demos
Hatch
Shop Swag
Research Program
Currents Research
Open Source
Support
Contact Support
FAQ
Network Status