is there any way to capture traffic that is encapsulated into esp? that somehow means to look "inside" of the esp packet. when capturing the traffic on the outside interface, i can only see the encapsulated traffic by default.
as far as i know, ipsec traffic passes 2 times through the ACL ruleset of the outside interface, one time encapsulated, one time decapsulated.
i hoped that when the packets pass the interface for the second time (decrypted) I will be able to capture it but that does not seem to be the case.
is there a way to capture traffic which leaves the traffic inside of an ipsec tunnel? unfortunately google was not my friend for that question.
thanks alot for your help, /Heri