This would be a perfect drop in replacement (to add L7 filtering, transparent antivirus proxy, etc.) to what we have currently, except… No native IPSEC to IPSEC tunnel support. What an omission! And do I notice that you are using the old racoon for a keying daemon? Libreswan and Strongswan — either would serve much better.