[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec "bad cksum 0!"


On Wed, 23 Jun 2004 18:56:51 +0200, Massimo Bergamini <mbergamini_(_at_)_mtnspa_(_dot_)_com> wrote:
> I can't bringing up my VPN on 2 OpenBSD 3.5 box.

I have a similar situation with a 3.5 and a 3.6 (from CVS) machine.

> example in /usr/share/ipsec/isakmpd for the transport mode and

... tunnel mode...

> tcpdump: WARNING: enc0: no IPv4 address assigned
> tcpdump: listening on enc0
> 18:25:53.003620 (authentic,confidential): SPI 0x00001001: >
> > icmp: echo request (id:0300
> seq:6656) (ttl 127, id 31203) (ttl 64, id 3172, bad cksum 0!)

I have this with the checksum value varying over time.

> and the ping seems work perfectly

Same here, too.

> pass in on enc0 proto ipencap all

Maybe I'm stupid, but until I say "pass in on enc0 all" and the same for "out",
packets don't get through anymore. I'd really hope to be able to filter on IP
numbers on enc0 some day since I need to run various networks over a single box
which should rather not interfere.

> On Sat, 26.06.2004 at 22:35:15 +0200, Benjamin Pineau <ben_(_at_)_zouh_(_dot_)_org> wrote:
> - how could something generate a packet with a null checksum ?!

> - the bad checksum is done by the encapsulating process: header before are ok,
>   outside header from encapsulted packets are ok.

Same problem here - when viewing on the outside and on the inside, no checksum
problems are reported, only when viewing on enc0.

> http://www.freebsd.org/cgi/query-pr.cgi?pr=63982 show at least one case where
> hardware cksum cause udp sums errors): I used rl interfaces.

I use only fxp interfaces.


Visit your host, monkey.org