I'd like to have an optional setting in IPsec policy entries that defines an interface where a policy is bound to. Currently IPsec policies are global and you'll have to create separate policies to exclude IPsec from LAN interfaces.
In Linux kernel it's possibly to use device as a selector for xfrm transform policies. I suppose it should be doable in ROS as well.