[Swan] bandwidth usage

[Bob Miller]

Hello,

I am looking for explanations on how packets traverse iptables using
netkey in openswan/libreswan implementations (I am presuming it will be
the same for both).  Specifically, I want to know how I would trace vpn
traffic through the packet flow diagram found at
http://l7-filter.sourceforge.net/PacketFlow.png - I wonder where in that
model packets get lifted for encryption/decryption, and where those
modified packets re-appear, and how the flow of such packets might
differ from normally NAT'd traffic.  I am particularly not clear on the
flow in the direction from unencrypted entry to encrypted exit...

The purpose is that I am trying to track bandwidth usage and I want to
know where the count is/isn't being increased by both the unencrypted
and encrypted packet, as well as differentiate between overall
egress/ingress, regularly NAT'd traffic, and vpn usage.

I have spent the last hours sifting through posts and articles and
haven't found much that seems authoritative; that which I have found
seems inconsistently detailed between different authors (and my
expectations), or uses terminology contrary to my understanding, such as
identifying the "POSTROUTING table".

I think I am searching on the wrong words, or am not recognizing the
information I want for what it is.  Can anyone point me at some
documentation that describes the details I am after?

-- 
Computerisms
Bob Miller      
867-334-7117 / 867-633-3760
http://computerisms.ca