>> 	racoon should grab policy configuration from the kernel and compile
>> 	IKE phase proposal based on it.  sakane (cc'ed) is working on it.
>To deal with roaming users, you should be able to have a policy like
>"I don't care what IP address the remote side uses; I require the
>remote side to present a user_fqdn from a preconfigured list, and to
>know the associated secret; then I want all traffic to be protected by
>algorithms X and Y".  There's no way to configure such a policy into
>the kernel; you have to configure it into racoon.

	yup, for responder side, racoon would need to put some SPD entries
	into the kernel for some cases (roaming user case).  I agree with it.

itojun