[yabones]

I think we need more information. Do you run any services on that machine that would be exposed? Do you port-forward to that box? Use a VPN or something like Tailscale?

Or perhaps a sync client like syncthing, onedrive, nextcloud, etc. could be to blame.

One option would be to log all traffic on that machine to a .pcap and feed it through some IDS analyzers.

[wasipwned]

Nothing is exposed directly to the internet, but I had some development services that were accessible on my private network.

I do use Dropbox, but the odd part was it seemingly IPsec traffic.

I really should have grabbed a pcap when it was occurring. I only have a screenshot of tcpdump which is not very useful.

[CamperBob2]

Dropbox would be my #1 suspect. They like to play fast and loose with your networking resources. I have seen Dropbox open lots of weird, undocumented ports for purposes their own support people aren't aware of. Case in point: https://pdfhost.io/v/1C9zgOibj_port_1298_1299_dialogue_with_... (23 kB .PDF)

Kill your Dropbox process(es) -- there will probably be several, again for no clear reason -- and I'll bet this behavior stops. Whenever my system behaves in an unexpected way, I've learned to start the troubleshooting process by temporarily killing Dropbox.

[yabones]

Was it IPsec traffic, or just something running on the IPsec port?

[wasipwned]

Unfortunately, I did not save any packet captures, so I only saw that it was on the IPsec port.