4 esp_transport 用 racoon协商 用setkey设置 spd

在racoon设置部分不改变的情况下. 手动用 setkey设置 spd条目时只更改用 transport模式. 就可以实现了.

spdadd -4 192.168.125.14/32 192.168.125.10/32 any -P in ipsec esp/transport/192.168.125.14-192.168.125.10/require;
spdadd -4 192.168.125.10/32 192.168.125.14/32 any -P out ipsec esp/transport/192.168.125.10-192.168.125.14/require;

那么问题来了. 在 racoon相关的设置中. 没有关于 transport 或tunnel模式的选择. 

如果在 racoon.conf里设置 generate_policy on; 它会默认生成什么模式呢?  试了一下会出错. 应该是找不到相应的 spd条目什么的.

是什么情况下设置 generate_policy on; 来工作呢? 

确实是对端为动态时才能使用的.

generate_policy (on | off | require | unique);
                     This directive is for the responder.  Therefore you should set passive to on in order that racoon(8) only becomes a responder.  If the respon‐
                     der does not have any policy in SPD during phase 2 negotiation, and the directive is set to on, then racoon(8) will choose the first proposal
                     in the SA payload from the initiator, and generate policy entries from the proposal.  It is useful to negotiate with clients whose IP address
                     is allocated dynamically.  Note that an inappropriate policy might be installed into the responder's SPD by the initiator, so other communica‐
                     tions might fail if such policies are installed due to a policy mismatch between the initiator and the responder.  on and require values mean
                     the same thing (generate a require policy).  unique tells racoon to set up unique policies, with a monotoning increasing reqid number (between
                     1 and IPSEC_MANUAL_REQID_MAX).  This directive is ignored in the initiator case.  The default value is off.

也许应该继续看一下. 当esponder. 的情况?

最好还能支持个 l2tp协议. 让windows, 智能手机啥地连接上.