Background
Now let's say, instead of the IPsec example, Alice wants to connect to a large class B subnet 192.168.0.0/16, while she's on a local subnet 192.168.2.0/24. i.e. We should avoid applying IPsec rules to local traffic.
Implementation
What has to be changed:
Replace 192.168.22.0/24 in Alice racoon.conf with 192.168.0.0/16
Exclude traffic between Alice' local networks from IPsec: see new ipsec-tools.conf below.
Modify the subnet in the ip route add to ... command on Alice.
Security Policies
Alice /etc/ipsec-tools.conf
flush;
spdflush;
spdadd 172.20.1.0/24 192.168.2.0/24 any -P out none;
spdadd 172.20.1.0/24 192.168.0.0/16 any -P out ipsec
esp/tunnel/172.27.1.165-172.27.1.169/require;
spdadd 192.168.2.0/24 172.20.1.0/24 any -P in none;
spdadd 192.168.0.0/16 172.20.1.0/24 any -P in ipsec
esp/tunnel/172.27.1.169-172.27.1.165/require;The none policy means that IPsec operation will not take place onto packets from 172.20.1.0/24 to 192.168.2.0/24 (out) and vice versa (in). See the setkey man page.
disable_policy
It is also possible to disable IPsec per network interface. By default this is done for the local interface lo:
debian:~# cat /proc/sys/net/ipv4/conf/lo/disable_policy 1
This could be an alternative to the ipsec-tools.conf modification if the ipsec interface is not used for that traffic.