You have 'use' instead of require.  That means to try to get an SA,
but to send the packet without an SA if there is none.   This is an
unusual choice for your application, where I think you'd want to
always use IPsec.   (I have only ever used 'use' on a server where the
server's policy does not force IPsec, but some clients might want it.)

racoon is required in order to create SAs from SPDs.  You probably
should try pre-shared keys first.

'setkey -x' will  be helpful in watching the acquire messages that
should be generated.   Also watch /var/log/messages to see the output
of racoon.   If you aren't very familiar with racoon, the odds of you
getting it set up without iterating through debug messages are low.

-- 
        Greg Troxel <gdt@ir.bbn.com>