One thing I recommend you use, based on my small experience -- of course, without using the complications of the (srcnat) option -- is that the tcpdump(8) tool is a great aid.
There's no way to tell if traffic is being tunnelled in esp packets or not, without it.
IPSec SA and Flow definitions will determine what packets get tunnelled and what packets do not, but there is no functional difference to a network application for IPSec-protected traffic or traffic flowing in the clear.
So, an admin might assume that traffic is running inside a VPN just because there is some output from # ipsecctl -sa, but the traffic intended to be secured may not actually be tunneled.
It has always been helpful to me to run tcpdump and examine packets for both the enc0 pseudo-devices, and, for the gateway NICs.
|