packet checksum/connectivity error when routing from OpenVPN to IPSec.

nuclearstrength

we're having an issue of connectivity and packet checksum errors on an IPSec tunnel, there's no connectivity from OpenVPN, it works from local LAN, In all cases there are checksum errors.

the option "disable hardware checksum offloading" is already enabled (it was needed to get the MPLS to work), the pfsense is virtualized in vmware.

the tunnel has a number of phase2 entries, remote phase 2 is a /32 address (192.168.150.107), local phase 2 is a number of subnets, local LAN (192.168.41.0/23), MPLS from remote offices and an OpenVPN (pfsense managed, 10.0.253.0/24)

there's connectivity from all of them except the openvpn subnet, doing a packet capture I see this checksum error, on all of the connections actually, even the ones that do work.
is it normal? what is that checksum error?
I'd like to exclude any possible issues with our side on Pfsense before troubleshooting with the remote side (not managed by me, difficult communications).

all the following packet captures have been run on the pfsense box.

here's a relevant snippet from the ICMP packet capture, pinging from an openvpn client, I don't get a reply from the remote endpoint:

10.0.253.3 > 192.168.150.107: ICMP echo request, id 31, seq 764, length 64
10:56:14.915915 (authentic,confidential): SPI 0x19a10808: (tos 0x0, ttl 63, id 38748, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 4535 (->4635)!)

here's a relevant snippet from a tcp connection from an openvpn client, it's a telnet connection, I don't get a successful connection (a login prompt):

11:09:53.235777 (authentic,confidential): SPI 0x19a10808: (tos 0x10, ttl 63, id 19695, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 8fa5 (->90a5)!)
10.0.253.3.56098 > 192.168.150.107.23: Flags [S], cksum 0xfaae (correct), seq 2630625051, win 64240, options [mss 1357,sackOK,TS val 3266286302 ecr 0,nop,wscale 7], length 0

here's a snippet from an ICMP from a local LAN client, I get a reply from the remote endpoint:

11:15:12.766362 (authentic,confidential): SPI 0x4719536e: (tos 0x0, ttl 62, id 28659, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 8a94 (->8b94)!)
192.168.41.101 > 192.168.150.107: ICMP echo request, id 5616, seq 6, length 64
11:15:12.814467 (authentic,confidential): SPI 0xc66a9d42: (tos 0x0, ttl 64, id 15119, offset 0, flags [none], proto ICMP (1), length 84)
192.168.150.107 > 192.168.41.101: ICMP echo reply, id 5616, seq 6, length 64

here's a snippet for a tcp connection from a local LAN client, I get a login prompt via telnet:

11:16:40.524829 (authentic,confidential): SPI 0x4719536e: (tos 0x10, ttl 62, id 23906, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 9d28 (->9e28)!)
192.168.41.101.50992 > 192.168.150.107.23: Flags [S], cksum 0x318e (correct), seq 2208285177, win 64240, options [mss 1460,sackOK,TS val 3823364506 ecr 0,nop,wscale 7], length 0
11:16:40.573369 (authentic,confidential): SPI 0xc66a9d42: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.150.107.23 > 192.168.41.101.50992: Flags [S.], cksum 0x8e05 (correct), seq 2769023387, ack 2208285178, win 28960, options [mss 1380,sackOK,TS val 2930239560 ecr 3823364506,nop,wscale 7], length 0

it seems to me that the checksum error is not the issues here and it's probably firewall rules or issues with the remote server and this one subnet, but I'd like to understand why that error is there nevertheless.

I've also noticed the different mss for the connections, could the issue be there? the IPSEC remote tunnels sends packets with mss 1380 but on openvpn the mss is 1357? I still don't see packet reaching the pfsense box tho.