# Printing Over IPsec failure: traffic incomplete session by timeout



## alfa (Feb 11, 2022)

Hi, i moved racoon to strongswan 5.9.2_2
and i have site to site ipsec vpn connection between my two locations
after moving to strongswan i encountered printing problem . For example: when i send 4 documents over ipsec to network printer some of them successfully printed and the others fail with this error :

Printer prints this:

```
SPL ERROR - Incomplete Session by time out
POSITION: 0xe45d (13470)
SYSTEM  : h6fwsim/os_hook
LINE    : 1591
VERSION : SPL 5.98 07-24-2014
ERROR CODE : 11-1112
```

When i use racoon there was no problem .

Then i made some debug using TCPDUMP


```
tcpdump -i enc0  port 9100 or 515 or 161 -n -vvv
```

command returned  "*bad cksum*" on every packet  like this:
(11.11 is pc 22.225 is network printer)

```
tcpdump: listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 262144 bytes
15:04:26.313992 (authentic,confidential): SPI 0x07e929da: IP (tos 0x0, ttl 127, id 26351, offset 0, flags [none], proto UDP (17), length 107, bad cksum 400 (->500)!)
    192.168.11.11.61678 > 192.168.22.225.snmp: [udp sum ok]  { SNMPv1 { GetRequest(64) R=8252429  25.3.2.1.5.1 25.3.5.1.1.1 25.3.5.1.2.1 } }
15:04:26.314079 (authentic,confidential): SPI 0x07e929da: IP (tos 0x0, ttl 127, id 26352, offset 0, flags [DF], proto UDP (17), length 107, bad cksum c3fe (->c4fe)!)
    192.168.11.11.61678 > 192.168.22.225.snmp: [udp sum ok]  { SNMPv1 { GetRequest(64) R=8252430  25.3.2.1.5.1 25.3.5.1.1.1 25.3.5.1.2.1 } }
```

i also tried  icmp request from pc to printer result is same again "bad cksum"

after that i set up wireguard between my locations no problem occured
i can't set up wg to some of my locations due to non supported devices.
and i can't return to racoon again.

 Thanks for any help ..

here is my swanctl conf:

```
2000 {
        fragmentation = yes
        unique = replace
        version = 1
        aggressive = no
        proposals = des-md5-modp768
        dpd_delay = 10s
        dpd_timeout = 60s
        reauth_time = 25920s
        over_time = 2880s
        rand_time = 2880s
        encap = no
        mobike = no
        remote_addrs = 222.222.222.222
        local {
        id = 111.111.111.111
          auth = psk
        }
        remote {
          id = 222.222.222.222
          auth = psk
        }
        children {
                2001 {
                        close_action = start
                        dpd_action = restart
                        mode = tunnel
                        policies = yes
                        life_time = 28800s
                        rekey_time = 25920s
                        rand_time = 2880s
                        start_action = trap
                        local_ts = 192.168.11.0/24
                        remote_ts = 192.168.22.0/24
                        esp_proposals = des-md5-modp768
                }
        }
   }
}
secrets {
        ike-0 {
                secret = xxxxx
                id-0 = %any
                id-1 = 111.111.111.111
        }
        ike-1 {
                secret = xxxxx
                id-0 = %any
                id-1 = 222.222.222.222
        }
}
```

*# INTERFACE CONFIGURATIONS*


```
enc0: flags=41<UP,RUNNING> metric 0 mtu 1536
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: enc
#WAN
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
    ether asdasd
    hwaddr asdasd
    inet asdasd netmask 0xfffffffc broadcast asdasd
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
#LAN
igb1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
    ether asdasd
    hwaddr asdasd
    inet 192.168.11.1 netmask 0xffffff00 broadcast 192.168.11.255
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
```


----------



## SirDice (Feb 11, 2022)

alfa said:


> command return "*bad cksum*" on every packet like this:


Could be due to hardware checksum offloading.


----------



## alfa (Feb 11, 2022)

SirDice said:


> Could be due to hardware checksum offloading.


i was completely closed cksum offloading on igb0 and igb1 and it does not work..


```
ifconfig igb0 -txcsum -rxcsum -tso4 -tso6 -lro -txcsum6 -rxcsum6 -vlanhwtso
ifconfig igb1 -txcsum -rxcsum -tso4 -tso6 -lro -txcsum6 -rxcsum6 -vlanhwtso
```

any suggestion?


----------

