Otherwise it will be evaluated as macro during config parsing; `$domain` is a special value that is bein replaced much later at runtime.
iked.conf's EXAMPLES already quotes it. OK? Index: ipsec.conf.5 =================================================================== RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v retrieving revision 1.158 diff -u -p -r1.158 ipsec.conf.5 --- ipsec.conf.5 10 Feb 2020 13:18:20 -0000 1.158 +++ ipsec.conf.5 15 Feb 2020 21:29:51 -0000 @@ -575,7 +575,7 @@ The tags will be assigned by the followi example: .Bd -literal -offset indent ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e - tag ipsec-$domain + tag "ipsec-$domain" .Ed .Sh OUTGOING NETWORK ADDRESS TRANSLATION In some network topologies it is desirable to perform NAT on traffic leaving Index: iked.conf.5 =================================================================== RCS file: /cvs/src/sbin/iked/iked.conf.5,v retrieving revision 1.61 diff -u -p -r1.61 iked.conf.5 --- iked.conf.5 10 Feb 2020 13:18:20 -0000 1.61 +++ iked.conf.5 15 Feb 2020 21:34:19 -0000 @@ -766,7 +766,7 @@ configuration and also sets an alternati device: .Bd -literal -offset indent ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \e - tag ipsec-$domain tap "enc1" + tag "ipsec-$domain" tap "enc1" .Ed .Sh OUTGOING NETWORK ADDRESS TRANSLATION In some network topologies it is desirable to perform NAT on traffic leaving
