I was trying to follow the example for IPsec transport mode at
http://www.ipsec-howto.org/x304.html with a 4.1 kernel,
and I find that using 3des_cbc does not work - packets get dropped
at the receiver after decryption: e.g., for a ping, the decrypted
packet has a mangled icmp header, and is dropped for a bad checksum
in icmp_rcv.
Odd thing here is that the icmp payload was never mangled
on my watch, and esp_input does correctly figure out the ULP of
the payload after decrypt, so there is some pattern to this.
Using blowfish instead of 3des works on 4.1, so I suspect the bug
is specific to the encrypt/decrypt method.
FWIW I tried the 3des instructions from ipsec-howto.org with
2.6.39 kernels, and it still fails (but so did blowfish, so
something got better along the way).
Has anyone else noticed this behavior for 3des?
--Sowmini