After doing some digging, it looks like my best bet would be using 
ipfstat and setting up count rules for each route (thanks Jarkko). I 
noticed that one BSD - I think it was OpenBSD, which of course has it's 
own non-KAME implimentation - creates a ipsec* interface for tunnel 
mode. Is there any though to adding this to NetBSD? I would be willing 
to do some testing on a i386-current test network.

>On Thu, 3 Jul 2003, J. Buck Caldwell wrote:
>
>  
>
>>Is anyone monitoring traffic across IPSec links with MRTG? I'm using
>>esp/tunnel mode. I tried monitoring the GIF tunnel, but that doesn't
>>work - just shows about 60 bytes average.
>>
>>Any pointers in the right direction would be helpful. Thanks.
>>    
>>
>
>  
>