Sergey Matveev <stargrave+suckl...@stargrave.org> wrote: >*** Josuah Demangeon [2023-10-15 16:43]: >>Not possible to do "tcpdump -i ipsec0" to see the packets going >>*over* the VPN as there is no network interface for it > >That depends on OS/configuration. There could be literally "ipsec" >interface in FreeBSD to see exactly the packets flowing over that VPN. >https://man.freebsd.org/cgi/man.cgi?query=if_ipsec&sektion=4
That is convenient and intuitively named. >Personally I just used to use gif-tunnels (IP-in-IP) and apply transport >mode ESP to them. Basically it has more-or-less (if we forget about ECN >at least) the same behaviour/efficiency as native tunnel mode (that also >encapsulates IP in IP and encrypts traffic between two tunnel endpoints) >but at least you have gif-interface you can conveniently tcpdump. This is some interesting setup. Then it is not needed to change the IPsec configuration files all of the time, and firewall and routing rules can be edited normally.
