1.the implement of router and ipsec-tools are IKEv1 (as shown in version of IKE head of pakcet), so should we not see rfc 5596 but to see rfc 2407-2409?
2. rfc 2408 says :Certificate Request payloads SHOULD be included in an exchange whenever an appropriate directory service (e.g. Secure DNS [DNSSEC]) is not available to distribute
i found there is no cert request payload in the IKE packets between two host using ipsec-tools, is it right?
3. in the config of router(cisco or huawei), we must give the ca URL just like ip host dns.com 192.168.5.148 //ca server ip
enrollment url http://192.168.5.148:80/certsrv/mscep/mscep.dll
but in racoon of ipsec-tools, it seems we need not specify the ca url, i dont know how IKE protocl describe this behaviour
i think you have more knowledge about IKE protocol, and am looking forward to you advise. thank you very much.