Can't understand, why ipsec-tools did not work with interfaces.

Imagine this network:\  \    \     \   -----[.1___router1___.1]----[2___router2___.1]----     /   /
......---------------------------------- /
totaly about 30 networks-----/
all networks are stub - leased line, but I must encrypt all traffic between router1 and router2.

I'ts easy when all stub networks talk with remote networks, that's rules to encrypt on router1:

spdadd any -P out ipsec esp/tunnel/;
spdadd any -P in ipsec esp/tunnel//;
and other 29 networks - total 60 rules.

But those networks can't communicate with each others networks via router1. To resolve this I have to make rules like this:

spdadd any -P in none;
spdadd any -P out none;
spdadd any -P in none;
spdadd any -P out none;

this rules must be first rules.

That's 4 additional rules for 2 networks.

for 30 networks it's 2*(29+28+27...+2)=868 rules total

That's pretty dirty...

It can be much better if spdadd rules can handle interface.

like router1 interface eth0 with

spdadd any -P out via eth0 ipsec esp/tunnel/;
spdadd any -P in via eth0 ipsec esp/tunnel//;

So I do not need to make "-P in none" policies.

I know that I can make it much better making gre tunnel between router1 and router2 and in policy just make 2 rules:

spdadd any -P out ipsec esp/transport//require;
spdadd any -P in ipsec esp/transport///require;

And make routing work to move packets via gre tunnel.
Yeah, it's better.
But in cisco it's not required, I just configure cryptomap on interface, so others interfaces just excluded from ipsec policy checks.

What you think about it?