Cryptic title, see Steinbeck.
VMware ESXi has some mechanisms on the virtual switches to filter out packets coming from MAC addresses that does not correspond to addresses assignes to virtual machines.
A VPN sees the MAC of its clients that are coming trhough the encrypted tunnel. But ESXi deems these MAC as forged and the packets are not transmitted.
The virtual switch must have the security set to allow Promiscuous mode and Forged transits.