Comment 2 for bug 1780060

After some more investigation it appears that the vrouter is putting bad checksums during the NAT process when the packets comming from the VM have no chksum.

Taking the following setup:

VM1 (contrail 3.2) -> PHY1 -> IPsec tunnel -> PHY2 -> VM2 (external)

When looking at packets on the physical interface (PHY1), isakmp packets have a correct cksum, so the tunnel establishement is fine:

    84.39.63.145.4500 > 90.84.47.18.4500: [udp sum ok] NONESP-encap: isakmp 2.0 msgid 00000001 cookie eb0126d8cd3e7a7d->3255d616d467404a: child_sa ikev2_auth[I]:
    (v2e: len=444)

But when traffic occurs on the tunnel the cksums are bad:

    84.39.63.145.4500 > 90.84.47.18.4500: [bad udp cksum 0x1955 -> 0xed65!] UDP-encap: ESP(spi=0xc9c3730a,seq=0x1), length 132

The packets are dropped VM2 side. (netstat -su)

From the VM1 tap we can see that UDP ESP packets have no checksums:

tcpdump: listening on tap47f2864d-a7, link-type EN10MB (Ethernet), capture size 262144 bytes
07:59:34.915688 IP (tos 0x0, ttl 64, id 2471, offset 0, flags [DF], proto UDP (17), length 160)
    172.10.1.3.4500 > 90.84.47.18.4500: [no cksum] UDP-encap: ESP(spi=0xc9c3730a,seq=0x9), length 132

With the following patch in the vrouter module, we make the vrouter not change the cksum when packets have no checksum

diff --git a/dp-core/vr_proto_ip.c b/dp-core/vr_proto_ip.c
index b96fce3..d12d284 100644
--- a/dp-core/vr_proto_ip.c
+++ b/dp-core/vr_proto_ip.c
@@ -106,6 +106,9 @@ vr_ip_update_csum(struct vr_packet *pkt, unsigned int ip_inc, unsigned int inc)
     } else if (ip->ip_proto == VR_IP_PROTO_UDP) {
         udp = (struct vr_udp *)((unsigned char *)ip + ip->ip_hl * 4);
         csump = &udp->udp_csum;
+ if (*csump == 0) {
+ return;
+ }
     } else {
         return;
     }

With this patch, the tunnel establishment is ok as well as the traffic inside the tunnel. No bad cksum is set by the vrouter.