east:~#
 TZ=GMT export TZ
east:~#
 ipsec spi --clear
east:~#
 ipsec eroute --clear
east:~#
 authkey=0x98765876587658765876587658765876
east:~#
 ipsec spi --af inet --edst 192.1.2.45 --spi 0x91234567 --proto ah --src 192.1.2.23 --ah hmac-md5-96 --authkey $authkey
east:~#
 ipsec spi --af inet --edst 192.1.2.45 --spi 0x91234567 --proto tun --src 192.1.2.23 --dst 192.1.2.45 --ip4
east:~#
 ipsec spigrp inet 192.1.2.45 0x91234567 tun inet 192.1.2.45 0x91234567 ah
east:~#
 ipsec eroute --add --eraf inet --src 192.0.2.0/24 --dst 192.0.1.0/24 --said tun0x91234567@192.1.2.45
east:~#
 ipsec tncfg --attach --virtual ipsec0 --physical eth1
east:~#
 ifconfig ipsec0 inet 192.1.2.23 netmask 0xffffff00 broadcast 192.1.2.255 up
east:~#
 arp -s 192.1.2.45 10:00:00:64:64:45
east:~#
 arp -s 192.1.2.254 10:00:00:64:64:45
east:~#
 ipsec look
east NOW
192.0.2.0/24       -> 192.0.1.0/24       => tun0x91234567@192.1.2.45 ah0x91234567@192.1.2.45  (0)
ipsec0->eth1 mtu=16260(1500)->1500
ah0x91234567@192.1.2.45 AH_HMAC_MD5: dir=out src=192.1.2.23 alen=128 aklen=128 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=4 ref=2
tun0x91234567@192.1.2.45 IPIP: dir=out src=192.1.2.23 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=4 ref=3
ROUTING TABLE
east:~#
 route add -host 192.0.1.1 gw 192.1.2.45 dev ipsec0