Article ID: 112493, created on Oct 10, 2011, last review on Jun 17, 2016

  • Applies to:
  • Virtuozzo 6.0


Parallels Virtuozzo Containers for Linux 3.0, 4.0, 4.6 and 4.7 do not support IPsec inside of containers. Upgrade to Parallels Cloud Server to be able to use IPsec in containers.

Parallels Cloud Server 6.0 supports IPsec inside of containers starting from Update 6 (build 6.0.6-1992).

To enable IPsec support inside of a container:

  1. Install all the pending PCS updates on the hardware node and reboot into kernel 2.6.32-042stab084.8 or newer

  2. Make sure necessary kernel modules are loaded before the container starts.

    List of modules necessary for IPSec to work:

    af_key esp4 esp6 xfrm4_mode_tunnel xfrm6_mode_tunnel

    To load modules manually just once:

    Execute following command:

    ~# for module in af_key esp4 esp6 xfrm4_mode_tunnel xfrm6_mode_tunnel; do modprobe $module;done

    After that it is necessary to restart Virtuozzo Management service to let Virtuozzo acknowledge this module's availability:

    Note!: all containers will be restarted during service restart

    ~# service vz restart

    To load modules automatically on server boot:

    Create a separate file /etc/sysconfig/modules/vzipsec.modules to load modules automatically during the boot process. File should have following content:

    ~# cat /etc/sysconfig/modules/vzipsec.modules
    for module in af_key esp4 esp6 xfrm4_mode_tunnel xfrm6_mode_tunnel; do modprobe $module;done

    Make file executable:

    ~# chmod +x /etc/sysconfig/modules/vzipsec.modules  
  3. Grant container in question net_admin capability, it is crucial for IPSec:

    vzctl set CTID --capability net_admin:on --save

    Note: IPSec can be used for both bridged and host-routed containers.

Note: it is not possible to suspend a container with IPsec. Therefore, online migration of such container does not work.

Search Words

using ipsec inside a container

How to enable IPsec support inside of linux containers


2897d76d56d2010f4e3a28f864d69223 0dd5b9380c7d4884d77587f3eb0fa8ef c62e8726973f80975db0531f1ed5c6a2

Email subscription for changes to this article
Save as PDF