I had a hard time finding why my OpenVZ containers wouldn’t respond to ping-packets which came in through IPSEC. Some guides suggested to use disable_policy – I did without success. A few days later by accident I realized that you need to do that within the VM.
The Setup goes like this:
bridge <-> node1 <-> world <-> node2 <-> bridge <-> container
A ping from node1 is received on node2 and I was able to clearly see incoming ESP packets using tcpdump. Using tcpdump even further I was able to see that the packets get decrypted (there are ICMP packets). From within the VM you can see the echo requests using tcpdump as well. But the system was not answering those packets with an echo reply. Whatever I did on the host side, the final fix was:
echo 1 > /proc/sys/net/ipv4/conf/eth0/disable_policy
WITHIN the Container. Not from the outside. So if you’re using a bridged setup with OpenVZ and you’ve got similar trouble, you might want to try that setting.
Taken from the kernel documentation:
disable_policy - BOOLEAN Disable IPSEC policy (SPD) for this interface disable_xfrm - BOOLEAN Disable IPSEC encryption on this interface, whatever the policy