Basic mechanism

Kernel maintains two database to use IPsec. One is the Security Policy Database(SPD). Kernel refers to SPD in order to decide whether to apply IPsec to a packet or not. Also SPD entries specify which/how IPsec-SA is applied. Another one is the Security Association Database(SAD). SAD entries contain Key of each IPsec-SA.
The following figure specifies a flow until kernel applies IPsec-SA to a packet.

setkey racoon <-------(IKE)-------> somebody
| ^ | (5)
| | |(6)
|(1) +-----+ +---+
| (4)| |
v | v
+-----+ (2) | (3) +-----+
| SPD |<----- kernel ------>| SAD |
+-----+ | +-----+
|(7)
v
(1)The administrator sets a policy to SPD by using setkey.
(2)Kernel refers to SPD in order to make a decision of applying IPsec to a packet.
(3)If IPsec is required, then kernel get the Key for IPsec-SA from SAD.
(4)If it is failed, then kernel send a request to get the Key to racoon.
(5)racoon exchange the Key by using IKE with the other to be established IPsec-SA.
(6)racoon put the Key into SAD.
(7)Kernel can send a packet applied IPsec.
надо понять о чём это вообще
http://www.kame.net/newsletter/20000428/