strongSwan

Why not just ignore the checksum for decrypted packets as the Linux kernel does (as described in point 3 in section 3.1.2 of RFC 3948)? We currently don't store the original traffic selectors (IKEv2 has no mechanism to exchange the private addresses explicitly as IKEv1 did, however, for IKEv1 we ignore NAT-OA payloads).

Why not just ignore the checksum for decrypted packets as the Linux kernel does (as described in point 3 in section 3.1.2 of RFC 3948)? We currently don't store the original traffic selectors

It is possible, I added sysctl net.inet.ipsec.natt_cksum_policy variable to control the behavior:
0 - incrementally recompute.
1 - fully recompute TCP/UDP checksum.
2 - for UDP reset checksum to zero; for TCP mark csum_flags as valid.

Ah, neat. What's the default value?

(IKEv2 has no mechanism to exchange the private addresses explicitly as IKEv1 did, however, for IKEv1 we ignore NAT-OA payloads).

Ok, if so, I think this issue can be closed. Thanks for clarification.

Adding support for configuring NAT-OA would certainly be possible, but it would require quite some changes all over the place (as mentioned the payloads and TS are currently ignored and there is no facility to pass them to the CHILD_SA or the kernel interfaces). Since there is a workaround (as mentioned above) for users who want to use transport mode via NAT, it's probably not worth implementing it at this time.

By default this variable has zero value, that means "incrementally recompute checksums if NAT-OA information was specified by IKE", otherwise "reset UDP checksum to zero and ignore for TCP". The value 1 means "fully recompute TCP and UDP checksums".

Makes sense. Thanks for the update.