On Mon, Jul 06, 2009 at 07:02:35PM -0700, David Miller wrote:

Indeed, there is no way to handle checksums sanely.  The whole
end-to-end protection of the checksum would be entirely subverted
if we fixed it up.

Exactly, the only safe solution is to use natoa to fix up the
checksums properly (doable in theory, but almost no one actually
uses it in practice, as seen by the fact that it's not even
possible with the current spec of IKEv2), or better yet, use
tunnel mode.  20 bytes is small change on the Internet.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} [off-list ref]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt