ipsec/racoon on ubuntu14.04

4. on vm1
a)
root@localhost:/root> ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    inet 2.1.1.2/24 scope global eth0
b)
root@localhost:/root> ip r s
2.1.1.0/24 dev eth0  proto kernel  scope link  src 2.1.1.2
c)
root@localhost:/root> cat /etc/ipsec/0/ike1/racoon.conf
#!/usr/sbin/racoon
path pre_shared_key "/etc/ipsec/0/ike1/secret.psk";    # please note that the preshared key in this case is 12345
remote 2.1.1.1
{
                exchange_mode main;
                my_identifier address 2.1.1.2;
                nat_traversal off ;
                script "/etc/ipsec/scripts/phase1-up.sh" phase1_up;
                script "/etc/ipsec/scripts/phase1-down.sh" phase1_down;
                lifetime time 600 secs;
                # phase 1 proposal (for ISAKMP SA)
                proposal {
                                encryption_algorithm aes;
                                hash_algorithm sha1;
                                authentication_method pre_shared_key;
                                dh_group 2;
                }
}
sainfo address 2.1.1.2 any address 2.1.1.1 any
{
                lifetime time 300 secs;
                encryption_algorithm aes;
                authentication_algorithm hmac_sha1;
                compression_algorithm deflate;
}

listen {
                adminsock "/etc/ipsec/0/ike1/.racoon_admin";
                isakmp 2.1.1.2 [500];
}
d)
root@localhost:/root> cat /etc/ipsec/0/ike1/secret.psk
2.1.1.1  12345
f)
root@localhost:/root> cat /etc/ipsec/0/ike1.add
# FlexiPlatform: IPSec policy rule configuration
spdadd  2.1.1.2/32 2.1.1.1/32 any
                -P out
                prio 2147480968 ipsec ah/tunnel/2.1.1.2-2.1.1.1/unique;
spdadd  2.1.1.1/32 2.1.1.2/32 any
                -P in
                prio 2147480968 ipsec ah/tunnel/2.1.1.1-2.1.1.2/unique;
g)
root@localhost:/root> setkey -DP
2.1.1.1[any] 2.1.1.2[any] 255
    fwd prio high + 1073739144 ipsec
    ah/tunnel/2.1.1.1-2.1.1.2/require
    created: May 20 07:39:17 2015  lastused:
    lifetime: 0(s) validtime: 0(s)
    spid=34 seq=1 pid=976
    refcnt=1
2.1.1.1[any] 2.1.1.2[any] 255
    in prio high + 1073739144 ipsec
    ah/tunnel/2.1.1.1-2.1.1.2/unique#16385
    created: May 20 07:39:17 2015  lastused:
    lifetime: 0(s) validtime: 0(s)
    spid=24 seq=2 pid=976
    refcnt=1
2.1.1.2[any] 2.1.1.1[any] 255
    out prio high + 1073739144 ipsec
    ah/tunnel/2.1.1.2-2.1.1.1/unique#16384
    created: May 20 07:39:17 2015  lastused:
    lifetime: 0(s) validtime: 0(s)
    spid=17 seq=3 pid=976

    refcnt=1

h) chmod 400 /etc/ipsec/0/ike1/secret.psk

5. on vm2
a)
root@localhost:/root> ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    inet 2.1.1.1/24 scope global eth0
b)
root@localhost:/root> ip r s
2.1.1.0/24 dev eth0  proto kernel  scope link  src 2.1.1.1
c)
root@localhost:/root> cat /etc/ipsec/0/ike1/racoon.conf
#!/usr/sbin/raccoon
path pre_shared_key "/etc/ipsec/0/ike1/secret.psk";    # please note that the preshared key in this case is 12345
remote 2.1.1.2
{
                exchange_mode main;
                my_identifier address 2.1.1.1;
                nat_traversal off ;
                script "/etc/ipsec/scripts/phase1-up.sh" phase1_up;
                script "/etc/ipsec/scripts/phase1-down.sh" phase1_down;
                lifetime time 600 secs;
                # phase 1 proposal (for ISAKMP SA)
                proposal {
                                encryption_algorithm aes;
                                hash_algorithm sha1;
                                authentication_method pre_shared_key;
                                dh_group 2;
                }
}
sainfo address 2.1.1.1 any address 2.1.1.2 any
{
                lifetime time 300 secs;
                encryption_algorithm aes;
                authentication_algorithm hmac_sha1;
                compression_algorithm deflate;
}

listen {
                adminsock "/etc/ipsec/0/ike1/.racoon_admin";
                isakmp 2.1.1.1 [500];
}
d)
root@localhost:/root> cat /etc/ipsec/0/ike1/secret.psk
2.1.1.2   12345
f)
root@localhost:/root> cat /etc/ipsec/0/ike1.add
# FlexiPlatform: IPSec policy rule configuration
spdadd  2.1.1.2/32 2.1.1.1/32 any
                -P in
                prio 2147480968 ipsec ah/tunnel/2.1.1.2-2.1.1.1/unique;
spdadd  2.1.1.1/32 2.1.1.2/32 any
                -P out
                prio 2147480968 ipsec ah/tunnel/2.1.1.1-2.1.1.2/unique;

g)
root@localhost:/root> setkey -DP
2.1.1.1[any] 2.1.1.2[any] 255
    out prio high + 1073739144 ipsec
    ah/tunnel/2.1.1.1-2.1.1.2/unique#16385
    created: May 20 07:40:18 2015  lastused: May 20 07:47:17 2015
    lifetime: 0(s) validtime: 0(s)
    spid=33 seq=1 pid=984
    refcnt=1
2.1.1.2[any] 2.1.1.1[any] 255
    fwd prio high + 1073739144 ipsec
    ah/tunnel/2.1.1.2-2.1.1.1/require
    created: May 20 07:40:18 2015  lastused:
    lifetime: 0(s) validtime: 0(s)
    spid=26 seq=2 pid=984
    refcnt=1
2.1.1.2[any] 2.1.1.1[any] 255
    in prio high + 1073739144 ipsec
    ah/tunnel/2.1.1.2-2.1.1.1/unique#16384
    created: May 20 07:40:18 2015  lastused:
    lifetime: 0(s) validtime: 0(s)
    spid=16 seq=3 pid=984
    refcnt=1

h) chmod 400 /etc/ipsec/0/ike1/secret.psk

After I run "racoon -f /etc/ipsec/0/ike1/racoon.conf && setkey -f /etc/ipsec/0/ike1.add", then run "ping 2.1.1.1"