Phase 1 fails when settitng up IPSec tunnel.

I read the articles on racoon and now a friend and I try to setup an IPSec tunnel between our machines. We both have public ip:s from our ISP:s. My ip is 123.45.67.89 and he has abc.def.gh.ij. Arguments to setkey on my machine: spdadd 123.456.78.90 abc.def.gh.ij any -P out ipsec esp/transport/123.456.78.90-abc.def.gh.ij/require; spdadd abc.def.gh.ij abc.def.gh.ij any -P in ipsec esp/transport/abc.def.gh.ij-123.456.78.90/require; and on the other machine spdadd abc.def.gh.ij 123.456.78.90 any -P out ipsec esp/transport/abc.def.gh.ij-123.456.78.90/require; spdadd abc.def.gh.ij abc.def.gh.ij any -P in ipsec esp/transport/123.456.78.90-abc.def.gh.ij/require; We do not specify any ip range like they did in the example (10.0.0.3/32). Btw, I found an 'assymetry' in the example. At the client the ip-numbers in the spdadd lines are paired toghether like this: client/server client/server server/client server/client but on the server they are ordered like this: server/server server/client client/server client/server Why are they different? Anyway, after setting up the spdadd lines, sharing a secret word and starting racoon we try to connect to each others machines, by telnetting, cmd-k in the Finder etc but we cannot find each other. My system log looks like this: % tail -f /var/log/system.log | grep racoon May 1 14:56:08 pb racoon: INFO: isakmp.c:1681:isakmp_post_acquire(): IPsec-SA request for abc.def.gh.ij queued due to no phase1 found. May 1 14:56:08 pb racoon: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 123.456.78.90[500]<=>abc.def.gh.ij[500] May 1 14:56:08 pb racoon: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin Aggressive mode. May 1 14:56:39 pb racoon: ERROR: isakmp.c:1773:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP abc.def.gh.ij->123.456.78.90 May 1 14:56:39 pb racoon: INFO: isakmp.c:1778:isakmp_chkph1there(): delete phase 2 handler. May 1 14:57:05 pb racoon: NOTIFY: pfkey.c:1539:pk_recvacquire(): no in-bound policy found: abc.def.gh.ij/32[0] 123.456.78.90/32[0] proto=any dir=in May 1 14:57:05 pb racoon: INFO: isakmp.c:1700:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found. May 1 14:57:36 pb racoon: ERROR: isakmp.c:1773:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP abc.def.gh.ij->123.456.78.90 May 1 14:57:36 pb racoon: INFO: isakmp.c:1778:isakmp_chkph1there(): delete phase 2 handler. May 1 14:58:08 pb racoon: ERROR: isakmp.c:1434:isakmp_ph1resend(): phase1 negotiation failed due to time up. e346f74d2a16b588:0000000000000000 Obviously phase 1 is never established, but why? Can firewalls and/or routers interfere with the process of setting up the tunnel? My machine is directly connected to internet, with neither firewall or router inbetween (of course there are routers but not on my LAN). Any ideas? Thanks