I am noticing an interface on my system called ipsec0
but I can't figure out what is creating it.
I have no VPN software installed or VPN connections configured on the system. Back to my Mac service is disabled as well.
Below is the output from ifconfig
ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 50000
The MTU of 50000 is very strange as well.
Best Answer
On my Mac the
ipsec0
interface has an IPv6 address that is part of the/64
:2607:fb90:13c0:e82::/64 which is owned by T-Mobile as seen from the whois:
Since it is an ipsec tunnel, we can find out what the endpoint address is by looking for traffic on our main outgoing interface (tcpdump on
en0
for example), which is where we find out208.54.40.75
is the endpoint address, which we can whois again and get back:So now the interesting part, what is opening this connection and what is it used for?
A handy command for this is named
lsof
which lists open files. We can pass it a couple of flags, and get back just what is listening, along with what process is listening.At which point we see something like the following:
That second number that is listed is the PID (process ID) for the process that has the open connection, so we can get more detail for what other connections are open by using:
This will output something like the following:
We can see that this has an open connection on port 500 and 4500. Port 500 is used for key exchange when using an ipsec based VPN, and 4500 is used for ipsec tunnels to traverse NAT, see this page for more information: https://en.wikipedia.org/wiki/NAT_traversal#IPsec
And then information about the process itself:
So based upon this we can make a couple of assumptions:
As soon as I start a FaceTime Wifi-call while running
tcpdump
on theipsec0
interface I see the standard SIP protocol (which is what FaceTime uses to make calls).tl;dr:
ipsec0
is used for Wifi calling.