[strongSwan] wrong TCP checksum Re: NAT inside IPSec [NATed site to host]

Lev A. Melnikovsky melnikovsky at mail.ru
Sat Mar 8 20:33:19 CET 2014


further investigation revealed the underlying problem: it has nothing to 
do with strongswan itself. Instead, the linux kernel (3.10.25) seems to 
generate wrong TCP checksum for NATed packets if they arrived via IPSec. 
To verify this I have crafted a tiny iptables target to re-calculate the 
checksum for such packets and everything seems to work now. Disabling TCP 
checksum offload did not help...

Now I wonder if I should report this in the linux-kernel list or somebody 
here can take care of the problem?


More information about the Users mailing list