west:~#
 TZ=GMT export TZ
west:~#
 ipsec spi --clear
west:~#
 ipsec eroute --clear
west:~#
 enckey1=0x4043434545464649494a4a4c4c4f4f515152525454575758
west:~#
 enckey2=0x5464649494a4a4c4c4f4f515152525454575758404343454
west:~#
 authkey1=0x87658765876587658765876587658765
west:~#
 authkey2=0x65876587658765876587658765876587
west:~#
 : set up SPI 1
west:~#
 sa1=`ipsec spi --af inet --edst 192.1.2.45 --spi 0x88447755 --proto esp --src 192.1.2.23 --esp 3des-md5-96 --enckey $enckey1 --authkey $authkey1 --saref | cut -d '=' -f2`
west:~#
 echo SA1 $sa1
SA1 3
west:~#
 sa2=`ipsec spi --af inet --edst 192.1.2.45 --spi 0x88447755 --proto tun --src 192.1.2.23 --dst 192.1.2.45 --ip4 --saref | cut -d '=' -f2`
west:~#
 echo SA2 $sa2
SA2 4
west:~#
 ipsec spigrp inet 192.1.2.45 0x88447755 tun inet 192.1.2.45 0x88447755 esp 
west:~#
 : set up SPI 2
west:~#
 sa3=`ipsec spi --af inet --edst 192.1.2.45 --spi 0x12345678 --proto esp --src 192.1.2.23 --esp 3des-md5-96 --enckey $enckey2 --authkey $authkey2 --saref | cut -d '=' -f2`
west:~#
 echo SA3 $sa3
SA3 5
west:~#
 sa4=`ipsec spi --af inet --edst 192.1.2.45 --spi 0x12345678 --proto tun --src 192.1.2.23 --dst 192.1.2.45 --ip4 --saref | cut -d '=' -f2`
west:~#
 echo SA4 $sa4
SA4 6
west:~#
 ipsec spigrp inet 192.1.2.45 0x12345678 tun inet 192.1.2.45 0x12345678 esp 
west:~#
 ipsec look
west NOW
esp0x12345678@192.1.2.45 ESP_3DES_HMAC_MD5: dir=in  src=192.1.2.23 iv_bits=64bits iv=0xDEADF00DDEADF00D alen=128 aklen=128 eklen=192 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=4 ref=5
esp0x88447755@192.1.2.45 ESP_3DES_HMAC_MD5: dir=in  src=192.1.2.23 iv_bits=64bits iv=0xDEADF00DDEADF00D alen=128 aklen=128 eklen=192 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=4 ref=3
tun0x12345678@192.1.2.45 IPIP: dir=in  src=192.1.2.23 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=4 ref=6
tun0x88447755@192.1.2.45 IPIP: dir=in  src=192.1.2.23 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=4 ref=4
ROUTING TABLE
west:~#
 sa1=$(printf "0x%08x" $(expr $sa1 '*' 65536))
west:~#
 sa2=$(printf "0x%08x" $(expr $sa2 '*' 65536))
west:~#
 sa3=$(printf "0x%08x" $(expr $sa3 '*' 65536))
west:~#
 sa4=$(printf "0x%08x" $(expr $sa4 '*' 65536))
west:~#
 echo SA1 $sa1
SA1 0x00030000
west:~#
 echo SA2 $sa2
SA2 0x00040000
west:~#
 echo SA3 $sa3
SA3 0x00050000
west:~#
 echo SA4 $sa4
SA4 0x00060000
west:~#
 : now setup of the nfmark based switching
west:~#
 mkdir -p /etc/iproute2
west:~#
 echo '11  sa1' >>/etc/iproute2/rt_tables
west:~#
 echo '12  sa2' >>/etc/iproute2/rt_tables
west:~#
 echo '13  sa3' >>/etc/iproute2/rt_tables
west:~#
 echo '14  sa4' >>/etc/iproute2/rt_tables
west:~#
 ip rule add fwmark $sa2 table sa2
west:~#
 ip route add default via 192.1.2.254 dev eth1 table sa2
west:~#
 ipsec tncfg --attach --virtual ipsec0 --physical eth1
west:~#
 ifconfig ipsec0 inet 192.1.2.45 netmask 0xffffff00 broadcast 192.1.2.255 up
west:~#
 arp -s 192.1.2.23 10:00:00:64:64:23
west:~#
 arp -s 192.1.2.254 10:00:00:64:64:fe
west:~#
 arp -s 192.0.1.1  10:00:00:32:32:01
west:~#
 arp -s 192.9.2.254 10:00:00:99:99:fe
SIOCSARP: Network is unreachable

