On 2025-03-09, Devin Reade <g...@gno.org> wrote: > Related to my iked/carp thread from 5 Mar 2025, I'm wondering > if I'm misunderstanding the intended syntax for iked.conf. > (I've changed the subject line because carp is no longer > an issue). > > My understanding of the man page is that a 'skip' should > essentially act as an exclusion rule for the associated networks, > with precedence on the last matching policy, but it doesn't seem to > be working that way; the 'skip' seems to have no effect > on where the packets are sent.
IIUC 'skip' is for exclusions for IKEv2 connections, not for which packets get sent over the tunnel. If you were using flow-based IPsec then you would be looking for 'bypass flows'. You can use these with iked, but you need to use ikectl (normally used with isakmpd) to configure them. However, as you're using sec(4), I'm not sure what you'd need to do here. -- Please keep replies on the mailing list.
