Parallels Virtuozzo Containers for Linux 3.0, 4.0, 4.6 and 4.7 do not support IPsec inside of containers. Upgrade to Parallels Cloud Server to be able to use IPsec in containers.
Parallels Cloud Server 6.0 supports IPsec inside of containers starting from Update 6 (build 6.0.6-1992).
To enable IPsec support inside of a container:
Install all the pending PCS updates on the hardware node and reboot into kernel 2.6.32-042stab084.8 or newer
Make sure necessary kernel modules are loaded before the container starts.
List of modules necessary for IPSec to work:
af_key esp4 esp6 xfrm4_mode_tunnel xfrm6_mode_tunnel
To load modules manually just once:
Execute following command:
~# for module in af_key esp4 esp6 xfrm4_mode_tunnel xfrm6_mode_tunnel; do modprobe $module;done
After that it is necessary to restart Virtuozzo Management service to let Virtuozzo acknowledge this module's availability:
Note!: all containers will be restarted during service restart
~# service vz restart
To load modules automatically on server boot:
Create a separate file
/etc/sysconfig/modules/vzipsec.modulesto load modules automatically during the boot process. File should have following content:
~# cat /etc/sysconfig/modules/vzipsec.modules #!/bin/sh for module in af_key esp4 esp6 xfrm4_mode_tunnel xfrm6_mode_tunnel; do modprobe $module;done
Make file executable:
~# chmod +x /etc/sysconfig/modules/vzipsec.modules
Grant container in question
net_admincapability, it is crucial for IPSec:
vzctl set CTID --capability net_admin:on --save
Note: IPSec can be used for both bridged and host-routed containers.
Note: it is not possible to suspend a container with IPsec. Therefore, online migration of such container does not work.