On 2021-09-13, Hrvoje Popovski <hrv...@srce.hr> wrote: > On 13.9.2021. 14:08, Tom Smyth wrote: >> Can you do an exception for the ranges ... so internet - private ips >> you dont want over the tunnel) >> >> ike esp from 10.90.0.0/24 <http://10.90.0.0/24> to any encrypt >> and >> >> 10.90.0.0/24 <http://10.90.0.0/24> to NOT [networks you dont want >> over the tunnel) ? >> > >:) this was the first thought that i've had ... but i couldn't find how > to do it ... at least in man ipsec.conf or isakmpd.conf > >
You do this with a "bypass flow" in /etc/ipsec.conf: flow from $network/$prefix to $network/$prefix type bypass and loading it with ipsecctl. Note if you use iked, you cannot configure this directly in iked.conf, but you can still use ipsecctl and ipsec.conf for this purpose in conjunction with iked for tunnel setup.
