I think the problem is in you routing setup.
ip route get
with proper source, destination, incoming interface will help you in
this task.

On Mon, 2008-06-23 at 14:15 +0200, Marcus Better wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Marcus Better wrote:
> > IPsec tunnel is correctly established, but response traffic from the VE is
> > being sent out on br0, not the external interface eth0.
> 
> FYI I haven't resolved this yet, and upstream is unwilling to look at OpenVZ-specific problems. Any help with trying to reproduce it in a mainline kernel would be appreciated.
> 
> Basically it would suffice to configure a veth pair without a full OpenVZ virtual environment on the other side. Is that possible?
> 
> Marcus
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> 
> iD8DBQFIX5PwXjXn6TzcAQkRAkGoAJ4+8jt0e6R7rAtTaRnYszvHRgM1cACgqEhr
> v42RBwPux+QBDKs5qXfpECM=
> =RqmU
> -----END PGP SIGNATURE-----
> 
>