Background

Now let's say, instead of the IPsec example, Alice wants to connect to a large class B subnet 192.168.0.0/16, while she's on a local subnet 192.168.2.0/24. i.e. We should avoid applying IPsec rules to local traffic.

Implementation

What has to be changed:

Security Policies

Alice /etc/ipsec-tools.conf

flush;
spdflush;

spdadd 172.20.1.0/24 192.168.2.0/24 any -P out none;
spdadd 172.20.1.0/24 192.168.0.0/16 any -P out ipsec
           esp/tunnel/172.27.1.165-172.27.1.169/require;

spdadd 192.168.2.0/24 172.20.1.0/24 any -P in none;
spdadd 192.168.0.0/16 172.20.1.0/24 any -P in ipsec
           esp/tunnel/172.27.1.169-172.27.1.165/require;

The none policy means that IPsec operation will not take place onto packets from 172.20.1.0/24 to 192.168.2.0/24 (out) and vice versa (in). See the setkey man page.

disable_policy

It is also possible to disable IPsec per network interface. By default this is done for the local interface lo:

debian:~# cat /proc/sys/net/ipv4/conf/lo/disable_policy
1

This could be an alternative to the ipsec-tools.conf modification if the ipsec interface is not used for that traffic.