>> 	sorry, i checked your original posting.  could you check where the
>> 	kernel code is returning EINVAL in UPDATE message handling?  it should
>> 	be somewhere inside sys/netkey/*.c (some printfs should do it).
>
>I added some printf() calls in sys/netkey/key.c in the function
>key_update(). Now I get this on my console (racoon output mixed with
>kernel output).  I show the spi from the kernel messages and the one
>other occurrance of it. Could it be some time-out because there is such
>a long time (1 minute 21 seconds) between these parts?

	now i see you problem.  yes, your machine is too slow to do D-H by
	racoon.  kernel asks for a new key by ACQUIRE message, keeping the
	information as SAD entry with "larval" state.  the kernel waits
	for the key to be installed for 30 seconds
	(sys/netkey/key.c:key_larval_lifetime).
	on your machine, by the time racoon tries to install the negotiated
	key by UPDATE message, the larval SAD entry is gone.

	try raising net.key.larval_lifetime to 120 (or 300?) and see if it
	makes a difference.

itojun