> OpenBSD's implementation of ipsec doesn't use the routing table, if you > want that (unless you make code changes) you will need to use a > different tunnel interface (gif or others) and just use ipsec to protect > the gif traffic.
The point is to keep the configuration simple and gif doesn't make it so. But when the source is with changing IP's often it end up not being very possible is it... So not really an option. May be time to check wireguard instead then. But not having it into the kernel or fully mature yet on OpenBSD is also limiting. > Sounds like you want bypass flows for 66.63.44.96/27 <> 66.63.44.64/27. > IIRC you can still use ipsecctl/ipsec.conf to configure them even > with iked running (the only bypass flows iked will add itself are the > automatic "mess with v6 traffic" ones, there's no iked.conf way to do > this flexibly). The point of ikev2 was to keep things simple and light. Doing the full ipsec even doable is really a real pain in the butts. As you saw I can make ikev2 works as is. Yes I hate how I have to do it, but I can make it work. I was really hoping that may be something I didn't think of or a different work around the limitation was possible and someone might get a different idea. I thought that may be with rdomain it might be a way to bypass the issue with ikev2, nut I must admit my limitation on rdomain didn't offer me a solution there either. If my solution is to use gif/ipsec oppose to my ugly ikev2 ways, I will stick with the ugly one. Kiss served me well over the year and I will not use a more complicated solution. Never the less thanks for your time and consideration to even have read my email Stuart, I appreciated it! Daniel
