"netstat -p ipsec -s" command used to produce lots of useful data in KAME IPSEC implementation (upto RELENG_6). Since RELENG_7, this command shows incorrect data - it shows zeroes for most counters. This makes it difficult to diagnose other IPSEC-related problems. Fix: Unknown. How-To-Repeat: Make use of IPSEC, make some traffic pass in encrypted form, look at "netstat -p ipsec -s" output. Same for 7.x/i386, 8.x/i386, and 8.x/amd64.
My PR.
Believed to be fixed with recent IPSEC overhaul and merge to stable/11.