Experimentally I found solution.

Topology:

1.1.1.0/24 ---- [.1___R1___.12 ] ----172.20.0.0/24----[.2___R2___.2]----2.2.2.0/24(and other networks)

1.1.1.0/24 - stub network.
______________________________________

So at R1 configuration (I used ubuntu server):
ipsec-tools.conf:

# we do not want to encrypt traffic between R1 and it's stub network.
spdadd 1.1.1.0/24 1.1.1.0/24 any -P in none;
spdadd 1.1.1.0/24 1.1.1.0/24 any -P out none;
# securing 1.1.1.0/24 stub network
spdadd 0.0.0.0/0 1.1.1.0/24 any -P in ipsec esp/tunnel/172.20.0.2-172.20.0.12/require;
spdadd 1.1.1.0/24 0.0.0.0/0 any -P out ipsec esp/tunnel/172.20.0.12-172.20.0.2/require;

racoon.conf:

listen {
    isakmp 172.20.0.12 [500];
}

remote 172.20.0.2 {
    exchange_mode main;
    lifetime time 1 hour;
    proposal {
        encryption_algorithm rijndael 128;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
    }
}

sainfo subnet 1.1.1.0/24 any subnet 0.0.0.0/0 any {
    pfs_group 2;
    encryption_algorithm rijndael 128;
    authentication_algorithm non_auth;
    compression_algorithm deflate;
    lifetime time 1 hour;
}

And R2 configuration:
ipsec-tools.con

spdadd 0.0.0.0/0 1.1.1.0/24 any -P out ipsec esp/tunnel/172.20.0.2-172.20.0.12/require;
spdadd 1.1.1.0/24 0.0.0.0/0 any -P in ipsec esp/tunnel/172.20.0.12-172.20.0.2/require;

listen {
    isakmp 172.20.0.2 [500];
}

remote 172.20.0.12 {
    exchange_mode main;
    lifetime time 1 hour;
    proposal {
        encryption_algorithm rijndael 128;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
    }
}

sainfo subnet 0.0.0.0/0 any subnet 1.1.1.0/24 any {
    pfs_group 2;
    encryption_algorithm rijndael 128;
    authentication_algorithm non_auth;
    compression_algorithm deflate;
    lifetime time 1 hour;
}
___________________________

And it works.

2011/9/19 c0re <nr1c0re@gmail.com>
Hello ipsec users and developers!

In cisco I can configure cryptomap with access-list like this
permit ip 192.168.0.0 0.0.255.255 any

That means that I encrypt all traffic going to/from 192.168.0.0/16 network.

But I can't find how to do it with setkey and racoon.

Give me please an example.

Thanks!