After some more investigation it appears that the vrouter is putting bad checksums during the NAT process when the packets comming from the VM have no chksum.
Taking the following setup:
VM1 (contrail 3.2) -> PHY1 -> IPsec tunnel -> PHY2 -> VM2 (external)
When looking at packets on the physical interface (PHY1), isakmp packets have a correct cksum, so the tunnel establishement is fine:
84.39.63.145.4500 > 90.84.47.18.4500: [udp sum ok] NONESP-encap: isakmp 2.0 msgid 00000001 cookie eb0126d8cd3e7a7d->3255d616d467404a: child_sa ikev2_auth[I]: (v2e: len=444)
But when traffic occurs on the tunnel the cksums are bad:
84.39.63.145.4500 > 90.84.47.18.4500: [bad udp cksum 0x1955 -> 0xed65!] UDP-encap: ESP(spi=0xc9c3730a,seq=0x1), length 132
The packets are dropped VM2 side. (netstat -su)
From the VM1 tap we can see that UDP ESP packets have no checksums:
tcpdump: listening on tap47f2864d-a7, link-type EN10MB (Ethernet), capture size 262144 bytes 07:59:34.915688 IP (tos 0x0, ttl 64, id 2471, offset 0, flags [DF], proto UDP (17), length 160) 172.10.1.3.4500 > 90.84.47.18.4500: [no cksum] UDP-encap: ESP(spi=0xc9c3730a,seq=0x9), length 132
With the following patch in the vrouter module, we make the vrouter not change the cksum when packets have no checksum
diff --git a/dp-core/vr_proto_ip.c b/dp-core/vr_proto_ip.c index b96fce3..d12d284 100644 --- a/dp-core/vr_proto_ip.c +++ b/dp-core/vr_proto_ip.c @@ -106,6 +106,9 @@ vr_ip_update_csum(struct vr_packet *pkt, unsigned int ip_inc, unsigned int inc) } else if (ip->ip_proto == VR_IP_PROTO_UDP) { udp = (struct vr_udp *)((unsigned char *)ip + ip->ip_hl * 4); csump = &udp->udp_csum; + if (*csump == 0) { + return; + } } else { return; }
With this patch, the tunnel establishment is ok as well as the traffic inside the tunnel. No bad cksum is set by the vrouter.
After some more investigation it appears that the vrouter is putting bad checksums during the NAT process when the packets comming from the VM have no chksum.
Taking the following setup:
VM1 (contrail 3.2) -> PHY1 -> IPsec tunnel -> PHY2 -> VM2 (external)
When looking at packets on the physical interface (PHY1), isakmp packets have a correct cksum, so the tunnel establishement is fine:
84. 39.63.145. 4500 > 90.84.47.18.4500: [udp sum ok] NONESP-encap: isakmp 2.0 msgid 00000001 cookie eb0126d8cd3e7a7 d->3255d616d467 404a: child_sa ikev2_auth[I]:
(v2e: len=444)
But when traffic occurs on the tunnel the cksums are bad:
84. 39.63.145. 4500 > 90.84.47.18.4500: [bad udp cksum 0x1955 -> 0xed65!] UDP-encap: ESP(spi= 0xc9c3730a, seq=0x1) , length 132
The packets are dropped VM2 side. (netstat -su)
From the VM1 tap we can see that UDP ESP packets have no checksums:
tcpdump: listening on tap47f2864d-a7, link-type EN10MB (Ethernet), capture size 262144 bytes 0xc9c3730a, seq=0x9) , length 132
07:59:34.915688 IP (tos 0x0, ttl 64, id 2471, offset 0, flags [DF], proto UDP (17), length 160)
172.10.1.3.4500 > 90.84.47.18.4500: [no cksum] UDP-encap: ESP(spi=
With the following patch in the vrouter module, we make the vrouter not change the cksum when packets have no checksum
diff --git a/dp-core/ vr_proto_ ip.c b/dp-core/ vr_proto_ ip.c vr_proto_ ip.c vr_proto_ ip.c csum(struct vr_packet *pkt, unsigned int ip_inc, unsigned int inc)
index b96fce3..d12d284 100644
--- a/dp-core/
+++ b/dp-core/
@@ -106,6 +106,9 @@ vr_ip_update_
} else if (ip->ip_proto == VR_IP_PROTO_UDP) {
udp = (struct vr_udp *)((unsigned char *)ip + ip->ip_hl * 4);
csump = &udp->udp_csum;
+ if (*csump == 0) {
+ return;
+ }
} else {
return;
}
With this patch, the tunnel establishment is ok as well as the traffic inside the tunnel. No bad cksum is set by the vrouter.