itd->flags = 0;
        if (xs->id.proto == IPPROTO_ESP) {
+               struct sk_buff *skb = first->skb;
+               int ret, authlen, trailerlen;
+               u8 padlen;
+
                itd->flags |= IXGBE_ADVTXD_TUCMD_IPSEC_TYPE_ESP |
                              IXGBE_ADVTXD_TUCMD_L4T_TCP;
                if (first->protocol == htons(ETH_P_IP))
                        itd->flags |= IXGBE_ADVTXD_TUCMD_IPV4;
-               itd->trailer_len = xs->props.trailer_len;
+
+               /* The actual trailer length is authlen (16 bytes) plus
+                * 2 bytes for the proto and the padlen values, plus
+                * padlen bytes of padding.  This ends up not the same
+                * as the static value found in xs->props.trailer_len (21).
+                *
+                * The "correct" way to get the auth length would be to use
+                *    authlen = crypto_aead_authsize(xs->data);
+                * but since we know we only have one size to worry about
+                * we can let the compiler use the constant and save us a
+                * few CPU cycles.
+                */
+               authlen = IXGBE_IPSEC_AUTH_BITS / 8;
+
+               ret = skb_copy_bits(skb, skb->len - (authlen + 2), &padlen, 1);
+               if (unlikely(ret))
+                       return 0;
+               trailerlen = authlen + 2 + padlen;
+               itd->trailer_len = trailerlen;
        }
        if (tsa->encrypt)
                itd->flags |= IXGBE_ADVTXD_TUCMD_IPSEC_ENCRYPT_EN;