west:~# TZ=GMT export TZ west:~# ipsec spi --clear west:~# ipsec eroute --clear west:~# enckey=0x4043434545464649494a4a4c4c4f4f515152525454575758 west:~# inspi=0x01000583 west:~# outspi=$inspi west:~# eastip=192.1.2.23 west:~# westip=192.1.2.45 west:~# source=192.0.2.0/24 west:~# dst=192.0.1.0/24 west:~# ipsec spi --af inet --edst $eastip --spi $outspi --proto esp --src $westip --esp 3des --enckey $enckey west:~# ipsec spi --af inet --edst $eastip --spi $outspi --proto tun --src $westip --dst $eastip --ip4 west:~# ipsec spigrp inet $eastip $outspi tun inet $eastip $outspi esp west:~# ipsec eroute --add --eraf inet --src $source --dst $dst --said tun$inspi@$eastip west:~# ipsec spi --af inet --edst $westip --spi $inspi --proto esp --src $eastip --esp 3des --enckey $enckey west:~# ipsec spi --af inet --edst $westip --spi $inspi --proto tun --src $eastip --dst $westip --ip4 west:~# ipsec spigrp inet $westip $inspi tun inet $westip $inspi esp west:~# route add -net 192.0.1.0 netmask 255.255.255.0 gw 192.1.2.45 dev ipsec0 SIOCADDRT: Network is unreachable west:~# ipsec tncfg --attach --virtual ipsec0 --physical eth1 west:~# ifconfig ipsec0 inet 192.1.2.45 netmask 0xffffff00 broadcast 192.1.2.255 up west:~# arp -s 192.0.1.1 10:00:00:ab:cd:01 west:~# arp -s 192.1.2.23 10:00:00:64:64:23 west:~# arp -s 192.1.2.254 10:00:00:64:64:23 west:~# ipsec look west NOW 192.0.2.0/24 -> 192.0.1.0/24 => tun0x1000583@192.1.2.23 esp0x1000583@192.1.2.23 (0) ipsec0->eth1 mtu=16260(1500)->1500 esp0x1000583@192.1.2.23 ESP_3DES: dir=out src=192.1.2.45 iv_bits=64bits iv=0xDEADF00DDEADF00D eklen=192 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=4 ref=3 esp0x1000583@192.1.2.45 ESP_3DES: dir=in src=192.1.2.23 iv_bits=64bits iv=0xDEADF00DDEADF00D eklen=192 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=4 ref=5 tun0x1000583@192.1.2.23 IPIP: dir=out src=192.1.2.45 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=4 ref=4 tun0x1000583@192.1.2.45 IPIP: dir=in src=192.1.2.23 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=4 ref=6 ROUTING TABLE west:~# ipsec klipsdebug --all