[Openswan dev] Re: [Openswan Users]

David McCullough davidm at snapgear.com
Thu Jan 5 09:25:23 CET 2006 

Jivin Paul Wouters lays it down ...
> On Wed, 4 Jan 2006, openswan wrote:
> 
> > I used Openswan 2.4.4 and kernel 2.6.12.6 with KLIPS patch and
> > everything is ok. The clients that use this VPN connection are mostly
> > (WINDOWS 2000 Workstations and Linux Workstations). They have installed
> > ethernet cards 3COM 3c509 and VIA RHINE.
> > When I tried to activate "Tx checksum offload (Hardware Checksum)" on
> > these ethernet cards all packets that passed the Openswan (KLIPS) became
> > delayed or dropped (maybe with invalid Checksum!?). When I deactivate
> > this option i.e. the IP Stack to make the CHECKSUM everything is working
> > fine.
> 
> The cards cannot and should not rewrite ipsec packets. Any change will break
> the authenticity of the packet. IPsec protects against packet rewriting,
> whether it is done by the good or the bad guys.
> 
> Depending on how this is implemented, it is a bug in the kernel (for giving
> the packets to the hardware) or the hardware (for changing packets it shouldn't)
> 
> Note that I said "ipsec packets". I menat protocol 50 and 51. If we are
> talking about NAT-T poackets, eg ESPinUDP packets, then it should be
> possible to do hardware offloading of the outer UDP packet. What packets did
> you see this behaviour for?

We ship a lot of routers with RealTek 8139CP chips and they do HW
checksumming.  It has never affected IPSEC to my knowledge.

The checksum is just the IP checksum and it doesn't matter who
works it out it should be the same right ?

The 8139cp driver on input sets ip_summed to CHECKSUM_UNNECESSARY if it has
ok'd the packet. It only calculates the checksum on output if
ip_summed == CHECKSUM_HW.  If that helps at all ?  Perhaps the
offloading is broken in those drivers ?  If it's not on by default I
would ask why it's not on by default :-)

Not 100% sure I've tested a 2.6 + klips + openswan + hw summing combination,
but I have definately tested it with 2.4,

Cheers,
Davidm

-- 
David McCullough, davidm at cyberguard.com.au, Custom Embedded Solutions + Security
Ph:+61 734352815 Fx:+61 738913630 http://www.uCdot.org http://www.cyberguard.com

More information about the Dev mailing list