hello, mick, i just read some part of rfc about IKE , and have some questions.

1.the implement of router and ipsec-tools are IKEv1 (as shown in version of IKE head of pakcet), so should we not see rfc 5596 but to see rfc 2407-2409?

2. rfc 2408 says :Certificate Request payloads SHOULD be included in an exchange whenever an appropriate directory service (e.g.  Secure DNS [DNSSEC]) is not available to distribute certificates.  
   i found there is no cert request payload in the IKE packets between two host using ipsec-tools, is it right?

3. in the config of router(cisco or huawei), we must give the ca URL just like
   ip host dns.com 192.168.5.148 //ca server ip
   enrollment url http://192.168.5.148:80/certsrv/mscep/mscep.dll 
 but in racoon of ipsec-tools, it seems we need not specify the ca url, i dont know how IKE protocl describe this behaviour

i think you have more knowledge about IKE protocol, and am looking forward to you advise. thank you very much.