east:~#
 TZ=GMT export TZ
east:~#
 ipsec spi --clear
east:~#
 ipsec eroute --clear
east:~#
 enckey=0x4043434545464649494a4a4c4c4f4f50
east:~#
 authkey=0x87658765876587658765876587658765
east:~#
 ipsec klipsdebug --set pfkey
east:~#
 ipsec spi --af inet --edst 192.1.2.45 --spi 0x12345678 --proto esp --src 192.1.2.23 --esp aes128-sha1-96 --enckey $enckey --authkey $authkey
/usr/local/libexec/ipsec/spi: invalid auth keylen=128, must be between 160 and 160 bits
east:~#
 ipsec spi --af inet --edst 192.1.2.45 --spi 0x12345678 --proto tun --src 192.1.2.23 --dst 192.1.2.45 --ip4
east:~#
 ipsec spigrp inet 192.1.2.45 0x12345678 tun inet 192.1.2.45 0x12345678 esp 
/usr/local/libexec/ipsec/spigrp: pfkey write failed, returning -1 with errno=2.
device does not exist.  See FreeS/WAN installation procedure.
east:~#
 ipsec eroute --add --eraf inet --src 192.0.2.0/24 --dst 192.0.1.0/24 --said tun0x12345678@192.1.2.45
east:~#
 ipsec tncfg --attach --virtual ipsec0 --physical eth1
east:~#
 ifconfig ipsec0 inet 192.1.2.23 netmask 0xffffff00 broadcast 192.1.2.255 up
east:~#
 arp -s 192.1.2.45 10:00:00:64:64:45
east:~#
 arp -s 192.1.2.254 10:00:00:64:64:45
east:~#
 ipsec look
east NOW
192.0.2.0/24       -> 192.0.1.0/24       => tun0x12345678@192.1.2.45  (0)
ipsec0->eth1 mtu=16260(1500)->1500
tun0x12345678@192.1.2.45 IPIP: dir=out src=192.1.2.23 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=3 ref=2
ROUTING TABLE
east:~#
 route add -host 192.0.1.1 gw 192.1.2.45 dev ipsec0