*** Josuah Demangeon [2023-10-15 16:43]: >Not possible to do "tcpdump -i ipsec0" to see the packets going >*over* the VPN as there is no network interface for it
That depends on OS/configuration. There could be literally "ipsec" interface in FreeBSD to see exactly the packets flowing over that VPN. https://man.freebsd.org/cgi/man.cgi?query=if_ipsec&sektion=4 Personally I just used to use gif-tunnels (IP-in-IP) and apply transport mode ESP to them. Basically it has more-or-less (if we forget about ECN at least) the same behaviour/efficiency as native tunnel mode (that also encapsulates IP in IP and encrypts traffic between two tunnel endpoints) but at least you have gif-interface you can conveniently tcpdump. -- Sergey Matveev (http://www.stargrave.org/) OpenPGP: 12AD 3268 9C66 0D42 6967 FD75 CB82 0563 2107 AD8A
