diff --git a/init/property_service.c b/init/property_service.c
index d2f174d79935e7b8433721557e6087a422ae65c3..046b1204bfa512700865840e8073c612dd3b3305 100644
--- a/init/property_service.c
+++ b/init/property_service.c
@@ -75,8 +75,6 @@ struct {
     { "wlan.",            AID_SYSTEM,   0 },
     { "dhcp.",            AID_SYSTEM,   0 },
     { "dhcp.",            AID_DHCP,     0 },
-    { "vpn.",             AID_SYSTEM,   0 },
-    { "vpn.",             AID_VPN,      0 },
     { "debug.",           AID_SHELL,    0 },
     { "log.",             AID_SHELL,    0 },
     { "service.adb.root", AID_SHELL,    0 },
diff --git a/rootdir/init.rc b/rootdir/init.rc
index d9ac7a4bc7717faf4614c35e42ce1243bb8084e8..8dd858f9b591e3aa1e1c4601b3eeccd8207fc2fd 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -144,9 +144,8 @@ on post-fs-data
     mkdir /data/misc/bluetooth 0770 system system
     mkdir /data/misc/keystore 0700 keystore keystore
     mkdir /data/misc/keychain 0771 system system
-    mkdir /data/misc/vpn 0770 system system
+    mkdir /data/misc/vpn 0770 system vpn
     mkdir /data/misc/systemkeys 0700 system system
-    mkdir /data/misc/vpn/profiles 0770 system system
     # give system access to wpa_supplicant.conf for backup and restore
     mkdir /data/misc/wifi 0770 wifi wifi
     chmod 0660 /data/misc/wifi/wpa_supplicant.conf
@@ -462,8 +461,8 @@ service flash_recovery /system/etc/install-recovery.sh
 service racoon /system/bin/racoon
     class main
     socket racoon stream 600 system system
-    # racoon will setuid to vpn after getting necessary resources.
-    group net_admin
+    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
+    group vpn net_admin
     disabled
     oneshot