On Mon, Jun 22, 2009 at 05:07:31PM +0800, Herbert Xu wrote:

The correct solution is to use the encap nat_oa field to adjust
the checksum.  That's why that field exists.

Alas the IKEv2 people still haven't got their acts together so
this is currently only possible with IKEv1.

So I think we should offer both options (plus the option of doing
nothing as we do now).  The default should be to do nothing, as
recomputing the checksum carries some risk which we should make
explicit to the admin by requiring them to turn the option on.

Now as to the technical problem of how to recompute the checksums
cleanly, may I draw your attention to gso_send_checksum which does
exactly what you want.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} [off-list ref]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt