# Freebsd Racoon setkey configuration?



## tpfiler (Aug 14, 2019)

When configuring Setkey to add Security Policy Database for AWS tunnels I understand that I should let the kernel know what traffic I want to get encrypted.
And so I added my internal network to go to the remote VPC (AWS) network and the other way around.

For example:
`spdadd 25.25.25.64/26 10.1.0.0/24 any -P out ipsec esp/tunnel/45.45.45.45-11.11.11.11/use;`
`spdadd 10.1.0.0/24 25.25.25.64/26 any -P in ipsec esp/tunnel/11.11.11.11-45.45.45.45/use;`
Above is understood.

The confusion I have is that the setkey configuration would not work unless I included the local tunnel ip associated to the remote tunnel ip, such as:
`spdadd 169.254.1.2/30 169.254.1.1/30 any -P out ipsec esp/tunnel/45.45.45.45-11.11.11.11/use;`
`spdadd 169.254.1.1/30 169.254.1.2/30 any -P in ipsec esp/tunnel/11.11.11.11-45.45.45.45/use;`


Do I have to add the /32 tunnel ip with a cidr of /30 as above or can I change it to 169.254.1.0/30

I prefer not to test this by trial and error.
I am also confused as to why I need the local tunnel ip associated to the VPC network:
`spdadd 169.254.1.2/30 10.1.0.0/24 any -P out ipsec esp/tunnel/45.45.45.45-11.11.11.11/use;`
`spdadd 10.1.0.0/24 169.254.1.2/30 any -P in ipsec esp/tunnel/11.11.11.11-45.45.45.45/use;`


The biggest confusion I have is that the configuration above works but when I try: 

Instance with ip 10.1.0.1 AWS side Instance with ip 25.25.25.66 Local network
`ping -S 169.254.1.2 10.1.0.1 #Does not work even though I provided the spdadd`
`ping -S 25.25.25.25.66 10.1.0.1 #Works, as expected because I added the spdadd`
Any guidance would be much appreciated!


----------

