In the [manual flows] section of the ipsec.conf man page, the [type modifier] parameter doesn't explain require, use, acquire and dontacq modifiers. The explanation from the old ipsecadm(8) should be use:
A use flow, specify that packets matching this flow should try to use IPsec if possible. A acquire For flow specify that packets matching this flow should try to use IPsec and establish SAs dynamically if possible, but permit unencrypted traffic. A require flow specify that packets matching this flow must use IPsec, and establish SAs dynamically as needed. If no SAs are established, traffic is not allowed through. A dontacq flow specify that packets matching this flow must use IPsec. If such SAs are not present, simply drop the packets. Such a policy may be used to demand peers establish SAs before they can communicate with us, without going through the burden of initiating the SA ourselves (thus allowing for some denial of service attacks). This flow type is particularly suitable for security gateways. Aurilien.
