west:~# TZ=GMT export TZ west:~# ipsec spi --clear west:~# ipsec eroute --clear west:~# enckey1=0x4043434545464649494a4a4c4c4f4f515152525454575758 west:~# enckey2=0x5464649494a4a4c4c4f4f515152525454575758404343454 west:~# authkey1=0x87658765876587658765876587658765 west:~# authkey2=0x65876587658765876587658765876587 west:~# : set up SPI 1 west:~# sa1=`ipsec spi --af inet --edst 192.1.2.45 --spi 0x88447755 --proto esp --src 192.1.2.23 --esp 3des-md5-96 --enckey $enckey1 --authkey $authkey1 --saref | cut -d '=' -f2` west:~# echo SA1 $sa1 SA1 3 west:~# sa2=`ipsec spi --af inet --edst 192.1.2.45 --spi 0x88447755 --proto tun --src 192.1.2.23 --dst 192.1.2.45 --ip4 --saref | cut -d '=' -f2` west:~# echo SA2 $sa2 SA2 4 west:~# ipsec spigrp inet 192.1.2.45 0x88447755 tun inet 192.1.2.45 0x88447755 esp west:~# : set up SPI 2 west:~# sa3=`ipsec spi --af inet --edst 192.1.2.45 --spi 0x12345678 --proto esp --src 192.1.2.23 --esp 3des-md5-96 --enckey $enckey2 --authkey $authkey2 --saref | cut -d '=' -f2` west:~# echo SA3 $sa3 SA3 5 west:~# sa4=`ipsec spi --af inet --edst 192.1.2.45 --spi 0x12345678 --proto tun --src 192.1.2.23 --dst 192.1.2.45 --ip4 --saref | cut -d '=' -f2` west:~# echo SA4 $sa4 SA4 6 west:~# ipsec spigrp inet 192.1.2.45 0x12345678 tun inet 192.1.2.45 0x12345678 esp west:~# ipsec look west NOW esp0x12345678@192.1.2.45 ESP_3DES_HMAC_MD5: dir=in src=192.1.2.23 iv_bits=64bits iv=0xDEADF00DDEADF00D alen=128 aklen=128 eklen=192 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=4 ref=5 esp0x88447755@192.1.2.45 ESP_3DES_HMAC_MD5: dir=in src=192.1.2.23 iv_bits=64bits iv=0xDEADF00DDEADF00D alen=128 aklen=128 eklen=192 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=4 ref=3 tun0x12345678@192.1.2.45 IPIP: dir=in src=192.1.2.23 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=4 ref=6 tun0x88447755@192.1.2.45 IPIP: dir=in src=192.1.2.23 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=4 ref=4 ROUTING TABLE west:~# sa1=$(printf "0x%08x" $(expr $sa1 '*' 65536)) west:~# sa2=$(printf "0x%08x" $(expr $sa2 '*' 65536)) west:~# sa3=$(printf "0x%08x" $(expr $sa3 '*' 65536)) west:~# sa4=$(printf "0x%08x" $(expr $sa4 '*' 65536)) west:~# echo SA1 $sa1 SA1 0x00030000 west:~# echo SA2 $sa2 SA2 0x00040000 west:~# echo SA3 $sa3 SA3 0x00050000 west:~# echo SA4 $sa4 SA4 0x00060000 west:~# : now setup of the nfmark based switching west:~# mkdir -p /etc/iproute2 west:~# echo '11 sa1' >>/etc/iproute2/rt_tables west:~# echo '12 sa2' >>/etc/iproute2/rt_tables west:~# echo '13 sa3' >>/etc/iproute2/rt_tables west:~# echo '14 sa4' >>/etc/iproute2/rt_tables west:~# ip rule add fwmark $sa2 table sa2 west:~# ip route add default via 192.1.2.254 dev eth1 table sa2 west:~# ipsec tncfg --attach --virtual ipsec0 --physical eth1 west:~# ifconfig ipsec0 inet 192.1.2.45 netmask 0xffffff00 broadcast 192.1.2.255 up west:~# arp -s 192.1.2.23 10:00:00:64:64:23 west:~# arp -s 192.1.2.254 10:00:00:64:64:fe west:~# arp -s 192.0.1.1 10:00:00:32:32:01 west:~# arp -s 192.9.2.254 10:00:00:99:99:fe SIOCSARP: Network is unreachable