IPsec transport mode

	HOST-A ================ HOST-B
	(A)                     (B)

	IKE negotiation: A <--> B
	phase 1 ID payloads: <anything, anything>
	SA addresses: A <--> B
	outgoing packet: IP(A->B)
	phase 2 ID payloads: none, or <A, B>

	HOST-A's policy:
		spdadd A B any -P out ipsec ah/transport//require;
		spdadd B A any -P in ipsec ah/transport//require;

	HOST-B's policy:
		spdadd B A any -P out ipsec ah/transport//require;
		spdadd A B any -P in ipsec ah/transport//require;

	both racoon.conf:
		no particular twists

IPsec tunnel mode

	HOST-A --- Gateway-A =========== Gateway-B --- HOST-B
	(A)        (GA)                  (GB)          (B)

	IKE negotiation: GA <--> GB
	phase 2 ID payloads: <anything, anything>
		IDs should reflect GA and GB's authenticity.
	SA addresses: GA <--> GB
	outgoing packet: IP(GA->GB)
	phase 2 ID payloads: A, B

	Gateway-A's policy:
		spdadd A B any -P out ipsec esp/tunnel/GA-GB/require;
		spdadd B A any -P in ipsec esp/tunnel/GB-GA/require;

	Gateway-B's policy:
		spdadd B A any -P out ipsec esp/tunnel/GB-GA/require;
		spdadd A B any -P in ipsec esp/tunnel/GA-GB/require;

	both racoon.conf:
		no particular twists

MIP6

	MN ================ CN
	(HA/COA)           (CNA)

	IKE negotiation: COA <--> CNA
		* MN always initiate IKE session probably.
	phase 1 ID payloads: <anything, anything>
	SA addresses: HA <--> CNA
	outgoing packet: IP(COA->CNA) | HAoption(HA)
	phase 2 ID payloads: <HA, CNA>

	MN's policy:
		spdadd HA CNA any -P out ipsec ah/transport//require;
		spdadd CNA HA any -P in ipsec ah/transport//require;

	MN's racoon.conf:
		remote CNA { support_mip6 on; }

	CN's policy:
		spdadd CNA HA any -P out ipsec ah/transport//require;
		spdadd HA CNA any -P in ipsec ah/transport//require;

	CN's racoon.conf:
		support_mip6 on;
		(generate_policy on;)

Accept anonymous client on IPsec transport mode

	HOST-A =========== Server
	(A)                (S)

	IKE negotiation: A <-> S
	phase 1 ID payloads: anything,anything
	SA addresses: A <--> S
	phase 2 ID payloads: none

	S accepts network connections from network range net/pl (like
	1.0.0.0/8).

	HOST-A's policy:
		spdadd A S any -P out ipsec esp/transport//require;
		spdadd S A any -P in ipsec esp/transport//require;

	A's racoon.conf:
		no particular twists

	Server's policy:
		spdadd S net/pl any -P out ipsec esp/transport//require;
		spdadd net/pl S any -P in ipsec esp/transport//require;

	Server's racoon.conf:
		no particular twists

	due to the absense of phase 2 ID, IPsec SA will be installed for
	A <--> S, not for net/pl <--> S.