[vpn-help] -12 against ipsec-tools 0.6.6

[Peter Eisch]

I have good results, up to a point.  The fragmenting is enabled with the
default values (540/enable/4500/30) but when I try to launch a large payload
packet, we trip over a checksum problem.  Here is a snapshot of what tcpdump
shows me:

13:50:13.083578 IP (tos 0x0, ttl  53, id 52867, offset 0, flags [DF],
length: 44) 66.235.221.84.80 > 10.1.101.27.10065: S [tcp sum ok]
209374:209374(0) ack 346961522 win 57344 <mss 1460>
13:50:13.138528 IP (tos 0x0, ttl 127, id 15808, offset 0, flags [DF],
length: 40) 10.1.101.27.10065 > 66.235.221.84.80: . [tcp sum ok] 1:1(0) ack
1 win 64512
13:50:13.140421 IP (tos 0x0, ttl  63, id 15809, offset 0, flags [+], length:
484) 10.1.101.27.10065 > 66.235.221.84.80: P [bad tcp cksum 66bb (->b22d)!]
1:445(444) ack 1 win 64512
13:50:14.605072 IP (tos 0x0, ttl  53, id 53375, offset 0, flags [DF],
length: 1450) 66.235.221.84.80 > 10.1.101.27.10063: FP [tcp sum ok]
1461:2871(1410) ack 407 win 58400
13:50:16.110136 IP (tos 0x0, ttl  63, id 15812, offset 0, flags [+], length:
484) 10.1.101.27.10065 > 66.235.221.84.80: P [bad tcp cksum 66bb (->b22d)!]
1:445(444) ack 1 win 64512
13:50:20.418586 IP (tos 0x0, ttl  63, id 15813, offset 0, flags [+], length:
484) 10.1.101.27.10054 > 64.233.167.99.80: FP [bad tcp cksum e2fa (->ebbc)!]
1:445(444) ack 1 win 64512
13:50:22.118151 IP (tos 0x0, ttl  63, id 15814, offset 0, flags [+], length:
484) 10.1.101.27.10065 > 66.235.221.84.80: P [bad tcp cksum 66bb (->b22d)!]
1:445(444) ack 1 win 64512
13:50:34.158431 IP (tos 0x0, ttl  63, id 15819, offset 0, flags [+], length:
484) 10.1.101.27.10065 > 66.235.221.84.80: P [bad tcp cksum 66bb (->b22d)!]
1:445(444) ack 1 win 64512

Of course, the same site navigation from the same client doesn't have this
problem.

1) Why isn't this getting fragmented?
2) How can I gather better detail to help you chase it?  My server config
(and client, for that matter) is the same as before.

Thanks,

peter