In the [manual flows] section of the ipsec.conf man page, the [type
modifier] parameter doesn't explain require, use, acquire and dontacq
modifiers. The explanation from the old ipsecadm(8) should be use:
A use flow, specify that packets matching this flow should try to use IPsec
if possible.
A acquire For flow specify that packets matching this flow should try to
use IPsec and establish SAs dynamically if possible, but permit unencrypted
traffic.
A require flow specify that packets matching this flow must use IPsec, and
establish SAs dynamically as needed. If no SAs are established, traffic is
not allowed through.
A dontacq flow specify that packets matching this flow must use IPsec. If
such SAs are not present, simply drop the packets. Such a policy may be used
to demand peers establish SAs before they can communicate with us, without
going through the burden of initiating the SA ourselves (thus allowing for
some denial of service attacks). This flow type is particularly suitable for
security gateways.
Aurilien.
