Re: Simple IPSEC client with certificate - phase 1 time out

[Brett Lymn <blymn%internode.on.net@localhost>]

On Tue, Mar 01, 2016 at 09:09:07AM -0500, Greg Troxel wrote:
> 
> In my experience, SPD entries are added outside of racoon to tell the
> kernel that certain traffic should have IPsec protection.   I don't
> understand how in your setup that's supposed to work, or what is
> triggering racoon to start the negotiation.
> 

A SPD sets the policy for encrypting an outgoing packet.  If you are
simply creating a tunnel between two machines I think you don't need it
but if you have a machine that wants to access a network on the other
side of a tunnel then you need a SPD to tell ipsec to use a particular
SAD to encrypt and send the packet.  I cannot recall myself but I think
raccoon should set up the SPD if you have told it there is a network
range on the remote end.  If racoon is configured with passive off then
it will attempt negotiation when it starts, I expect this is what is
happening.

-- 
Brett Lymn
Let go, or be dragged - Zen proverb.