hello, mick, i just read some part of rfc about IKE , and have some questions.

1.the implement of router and ipsec-tools are IKEv1 (as shown in version of IKE head of pakcet), so should we not see rfc 5596 but to see rfc 2407-2409?

2. rfc 2408 says :Certificate Request payloads SHOULD be included in an exchange whenever an appropriate directory service (e.g.  Secure DNS [DNSSEC]) is not available to distribute certificates.  
   i found there is no cert request payload in the IKE packets between two host using ipsec-tools, is it right?

3. in the config of router(cisco or huawei), we must give the ca URL just like
   ip host dns.com //ca server ip
 enrollment url  
 but in racoon of ipsec-tools, it seems we need not specify the ca url, i dont know how IKE protocl describe this behaviour

i think you have more knowledge about IKE protocol, and am looking forward to you advise. thank you very much.

From: Mick <michaelkintzios@gmail.com>
To: lin jia <chinasjtu@yahoo.com>
Sent: Friday, April 6, 2012 7:54 PM
Subject: Re: [Ipsec-tools-users] help, about linux host connect to cisco router with ipsec?

On Thursday 05 Apr 2012 15:26:03 you wrote:
> Yes, the connect between cisco router and linux host is ok if i use psk(pre
> shared key) .
> In next step, i am going to try openswan to see if openswan can works well
> with cisco router in certification way.

I have used strongswan and it would not work - the same problem caused CERTREQ
to fail.  However, openswan is different so it may work.

Good luck!  :-)