[strongSwan] wrong TCP checksum Re: NAT inside IPSec [NATed site to host]
Lev A. Melnikovsky
melnikovsky at mail.ru
Sat Mar 8 20:33:19 CET 2014
further investigation revealed the underlying problem: it has nothing to
do with strongswan itself. Instead, the linux kernel (3.10.25) seems to
generate wrong TCP checksum for NATed packets if they arrived via IPSec.
To verify this I have crafted a tiny iptables target to re-calculate the
checksum for such packets and everything seems to work now. Disabling TCP
checksum offload did not help...
Now I wonder if I should report this in the linux-kernel list or somebody
here can take care of the problem?
More information about the Users