On Tue, Mar 01, 2016 at 09:09:07AM -0500, Greg Troxel wrote: > > In my experience, SPD entries are added outside of racoon to tell the > kernel that certain traffic should have IPsec protection. I don't > understand how in your setup that's supposed to work, or what is > triggering racoon to start the negotiation. >
A SPD sets the policy for encrypting an outgoing packet. If you are simply creating a tunnel between two machines I think you don't need it but if you have a machine that wants to access a network on the other side of a tunnel then you need a SPD to tell ipsec to use a particular SAD to encrypt and send the packet. I cannot recall myself but I think raccoon should set up the SPD if you have told it there is a network range on the remote end. If racoon is configured with passive off then it will attempt negotiation when it starts, I expect this is what is happening. -- Brett Lymn Let go, or be dragged - Zen proverb.
