Wind River Support Network


LIN5-17892 : SCTP over IPSec is not working when SCTP checksum is offloaded to hardware

Created: Jan 23, 2014    Updated: Dec 19, 2017
Resolved Date: Jan 23, 2014
Previous ID: LIN4-30989
Found In Version: 5.0.1
Fix Version:
Severity: Severe
Applicable for: Wind River Linux 5
Component/s: Networking


SCTP IPv4 issues:

    When SCTP session is created over an IPSec tunnel [ with the properties mentioned in IPSec configuration" ], at the receiving end SCTP packets are getting dropped because of wrong SCTP header checksum , this can be seen in proc file /proc/net/sctp/snmp with increasing count for SctpChecksumErrors at the receiving end.


    When IPSec rule is added for specific SCTP [ client/server ] ports then port based IPSec policies were never applied for SCTP traffic.

SCTP IPv6 issues:

    IPSec policy lookup is not happening for SCTP traffic.

NOTE: Along with (3), all the IPv4 issues are applicable to IPv6 also.

Steps to Reproduce

 # take a NIC supports SCTP checksum offload feature, e.g. Intel 82599( needs CONFIG_IXGBE=y in kernel )
1. configure project and build all
    $ configure --enable-board=intel_xeon_c600_pch --enable-kernel=cgl --enable-rootfs=glibc_cgl
    $ make -C build lksctp-tools.addpkg
    $ make -C build ipsec-tools.addpkg
    $ make fs
2. take a target with 82599 as SCTP sender and link it to a receiver target. deploy the attached confs to targets.
3. IPSec - run  
    $ setkey -f /etc/racoon/setkey.conf
    $ racoon -f /etc/racoon/racoon.conf
    on 2 targets
4. IPv4 test:
   # Receiver :
   $ ifconfig eth1 up
   $ sctp_darn -H 0 -P 250 -l
   # Sender :
   $ ifconfig eth1 up
   $ sctp_darn -H 0 -P 260 -h -p 250 -s
5. IPv6 test:
   # Receiver :
   $ ifconfig eth0 inet6 add 2001:1::1/64
   $ sctp_darn -H 2001:1::1 -P 250 -l
   # Sender :
   $ ifconfig eth0 inet6 add 2001:1::2/64
   $sctp_darn -H 2001:1::2 -P 260 -h 2001:1::1 -p 250 -s

Other Downloads

Live chat