We're having some IPSec connection problems that seem connected to the UDP checksum beeing (incorrectly) set with some ISPs.
To investigate further, I want to reproduce the error within a controlled environment.
Now, I do not know what the ISP does exactly so I'd like to manipulate UDP packets directly to reproduce a given scenario (UDP checksum missing, set correctly and set incorrectly).
The client: A linux machine with some tools (perl, iptables, gnu tools, bash, tcpdump)
The server: A freeBSD based machine with almost no tools (bash, pf, tcpdump)
I want to test how the server reacts with different UDP checksum situations.
Since it doesn't have much tools, I figured the easiest way to reproduce these situations would be from the linux client.
I know there is the possibility to set the UDP checksum using the mangle table.
That only allows me to correctly set the UDP checksum.
How do I forge the UDP checksum of packets to be either nonexistent, correctly set or incorrectly set?
Any ideas on how to reproduce these scenarios - maybe in a different way - are also welcome in the comments.
I found a way to hook a python script into the mangle table and alter the packets using that python script. The performance is understandably quite slow but for a testing purpose sufficient.
The python3 script looks like this (using scapy and NetfilterQueue):