Ipsec0 interface

On my Mac the ipsec0 interface has an IPv6 address that is part of the /64:

2607:fb90:13c0:e82::/64 which is owned by T-Mobile as seen from the whois:

CIDR:           2607:FB90::/32
NetName:        TMOV6-1
NetHandle:      NET6-2607-FB90-1
Parent:         NET6-2600 (NET6-2600-1)
NetType:        Direct Allocation
OriginAS:       AS21928
Organization:   T-Mobile USA, Inc. (TMOBI)
RegDate:        2009-07-14
Updated:        2012-02-24
Ref:            http://whois.arin.net/rest/net/NET6-2607-FB90-1

Since it is an ipsec tunnel, we can find out what the endpoint address is by looking for traffic on our main outgoing interface (tcpdump on en0 for example), which is where we find out 208.54.40.75 is the endpoint address, which we can whois again and get back:

NetRange:       208.54.0.0 - 208.54.159.255
CIDR:           208.54.128.0/19, 208.54.0.0/17
NetName:        TMO2
NetHandle:      NET-208-54-0-0-1
Parent:         NET208 (NET-208-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   T-Mobile USA, Inc. (TMOBI)
RegDate:        1999-08-10
Updated:        2012-02-24
Ref:            http://whois.arin.net/rest/net/NET-208-54-0-0-1

So now the interesting part, what is opening this connection and what is it used for?

A handy command for this is named lsof which lists open files. We can pass it a couple of flags, and get back just what is listening, along with what process is listening.

lsof -a -i -l -P | grep 2607:fb90:13c0:e82

At which point we see something like the following:

ntpd        198        0   32u  IPv6 0x1c220855d5c2b5a1      0t0  UDP [2607:fb90:13c0:e82::]:123
CommCente   249     1001   26u  IPv6 0x1c220855d59e9a91      0t0  UDP [2607:fb90:13c0:e82::]:5060
CommCente   249     1001   27u  IPv6 0x1c220855d3b35a61      0t0  TCP [2607:fb90:13c0:e82::]:5060 (LISTEN)

That second number that is listed is the PID (process ID) for the process that has the open connection, so we can get more detail for what other connections are open by using:

lsof -a -i -l -P -p 249

This will output something like the following:

COMMAND   PID     USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
CommCente 249     1001   15u  IPv4 0x1c220855d68c85a1      0t0  UDP 10.64.1.100:500->m4b2836d0.tmodns.net:500
CommCente 249     1001   20u  IPv4 0x1c220855d336be89      0t0  UDP 10.64.1.100:4500->m4b2836d0.tmodns.net:4500
CommCente 249     1001   26u  IPv6 0x1c220855d59e9a91      0t0  UDP [2607:fb90:13c0:e82::]:5060
CommCente 249     1001   27u  IPv6 0x1c220855d3b35a61      0t0  TCP [2607:fb90:13c0:e82::]:5060 (LISTEN)

We can see that this has an open connection on port 500 and 4500. Port 500 is used for key exchange when using an ipsec based VPN, and 4500 is used for ipsec tunnels to traverse NAT, see this page for more information: https://en.wikipedia.org/wiki/NAT_traversal#IPsec

And then information about the process itself:

ps auxwww | grep 249:

xistence          249   0.0  0.2  2582352  29932   ??  S     2:07PM   0:03.34 /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter

So based upon this we can make a couple of assumptions:

1. The tunnel endpoints are owned by T-Mobile
2. It has to do something with CoreTelephony which seems to be a library used by Apple to implement phone calling on iOS (and now OS X): https://developer.apple.com/library/prerelease/ios/documentation/NetworkingInternet/Reference/CoreTelephonyFrameworkReference/index.html
3. Based upon 1 and 2, and knowing that I have enabled Wifi Calling in FaceTime and on my phone, I can be fairly certain that this ipsec tunnel is used to route calls to my laptop.

As soon as I start a FaceTime Wifi-call while running tcpdump on the ipsec0 interface I see the standard SIP protocol (which is what FaceTime uses to make calls).

tl;dr: ipsec0 is used for Wifi calling.