Hi, Attached patch adds more details about what protected-subnet's role is in configuration file, it may be useful for someone unfamiliar with the terminology used in IKEv2.
Sevan
Index: sbin/iked/iked.conf.5 =================================================================== RCS file: /cvs/src/sbin/iked/iked.conf.5,v retrieving revision 1.53 diff -u -p -u -r1.53 iked.conf.5 --- sbin/iked/iked.conf.5 31 Jan 2018 13:25:55 -0000 1.53 +++ sbin/iked/iked.conf.5 22 Feb 2019 11:55:15 -0000 @@ -572,7 +572,12 @@ This option is provided for compatibilit .It Ic dhcp-server Ar address The address of an internal DHCP server for further configuration. .It Ic protected-subnet Ar address/prefix -The address of the protected subnet within the internal network. +The address of subnets in prefix notation which destined traffic for should be +sent over the established tunnel. +This option can be specified multiple times to compose a series of individual +routes which are pushed to peers. +If this option is not specified, the established tunnel is used as a +default gateway for all traffic by peers. .It Ic access-server Ar address The address of an internal remote access server. .El
