Why does /usr/sbin/racoon require inbound connections when a VPN is active on MacOS Sierra Today, I was monitoring my network accesses using Little Snitch and connecting to an Avast SecureVPN when Little Snitch warned me that it was blocking inbound attempts to contact /usr/sbin/racoon. I did my research and know that racoon is the IPsec IKE daemon, so I gather it has something to do with keys and IPsec, but if Avast is able to establish the VPN, why would racoon need to get involved? When the VPN is disconnected, racoon is no longer contacted. It seems like the inbound connection attempts are about 5 minutes apart.

To use IPSec both sides needs some tools for key exchange. You _can_ do key exchange manually but nobody does it. Protocol named ISAKMP/IKE used for key exchange. It uses `udp/500`. On *BSD systems racoon daemon is used for it. Since key exchange takes place at first connection and then keys are updated periodically you need to accept incoming `udp/500` for IPSec to work.

If you close `udp/500` IPSec may detect it and use NAT traversal (< (`udp/4500`) which allows client not to accept incomming connections. This could be your case.