east:~# TZ=GMT export TZ east:~# ipsec spi --clear east:~# ipsec eroute --clear east:~# enckey=0x4043434545464649494a4a4c4c4f4f515152525454575758 east:~# authkey=0x87658765876587658765876587658765 east:~# saref=4562 east:~# nfsaref=$(printf "%d" $(( ($saref * 65536) | 0x80000000 ))) east:~# echo 0xffffffff >/proc/sys/net/ipsec/debug_xform east:~# echo 0xffffffff >/proc/sys/net/ipsec/debug_pfkey east:~# echo 0xffffffff >/proc/sys/net/ipsec/debug_xmit east:~# echo 0xffffffff >/proc/sys/net/ipsec/debug_tunnel east:~# ipsec spi --af inet --edst 192.1.2.45 --spi 0x1bbdd678 --proto esp --src 192.1.2.23 --esp 3des-md5-96 --enckey $enckey --authkey $authkey east:~# ipsec spi --af inet --edst 192.1.2.45 --spi 0x1bbdd678 --proto tun --src 192.1.2.23 --dst 192.1.2.45 --ip4 --saref $saref /usr/local/libexec/ipsec/spi: saref=4562/0 east:~# ipsec spigrp inet 192.1.2.45 0x1bbdd678 tun inet 192.1.2.45 0x1bbdd678 esp east:~# ifconfig mast0 inet 192.1.2.23 netmask 255.255.255.255 mtu 1460 up east:~# arp -s 192.1.2.45 10:00:00:64:64:45 east:~# arp -s 192.1.2.254 10:00:00:64:64:45 east:~# ipsec look east NOW esp0x1bbdd678@192.1.2.45 ESP_3DES_HMAC_MD5: dir=out src=192.1.2.23 iv_bits=64bits iv=0xDEADF00DDEADF00D alen=128 aklen=128 eklen=192 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=3 ref=1 refhim=0 reftable=0 refentry=1 tun0x1bbdd678@192.1.2.45 IPIP: dir=out src=192.1.2.23 life(c,s,h)= natencap=none natsport=0 natdport=0 refcount=3 ref=4562 refhim=0 reftable=2 refentry=466 ROUTING TABLE east:~# ip rule add fwmark 0x80000000 fwmarkmask 0x80000000 table 51 east:~# ip route add 0.0.0.0/0 dev mast0 table 51 east:~# iptables -I OUTPUT 1 -t mangle --src 192.0.2.254/32 --dst 192.0.1.0/24 -j MARK --set-mark $nfsaref east:~# hping2 -a 192.0.2.254 -c 2 --udp -d 64 -e 'mast0' 192.0.1.254 HPING 192.0.1.254 (eth1 192.0.1.254): udp mode set, 28 headers + 64 data bytes --- 192.0.1.254 hping statistic --- 2 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms