Here is another example, this time extending the earlier script to use "esp" instead of "ah". This allows the packets to pass through NAT and non-compliant routers and such. If that's not a concern, then an even better setup would be to combine both AH and ESP.

#!/bin/sh
action="$1"
IP1=10.0.0.53
IP2=10.0.0.14
ENCAP="esp"
if [ "$ENCAP" = "ah" ]; then
PASSKEY="1234567890123456"
CRYPT="-A hmac-md5"
else ## "esp"
PASSKEY="123456789012345678901234"
CRYPT="-E 3des-cbc"
fi
SK="/usr/sbin/setkey -c"

echo "Clearing ipsec configuration.. "
$SK <<-EOF
flush;
spdflush;
EOF

[ "$action" = "stop" ] && exit

echo "Enabling ipsec.. "
$SK <<-EOF
add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";
add $IP1 $IP2 $ENCAP 15700 $CRYPT "$PASSKEY";
add $IP2 $IP1 $ENCAP 15701 $CRYPT "$PASSKEY";
spdadd $IP1 $IP2 any -P out ipsec $ENCAP/transport//require;
spdadd $IP2 $IP1 any -P out ipsec $ENCAP/transport//require;
spdadd $IP1 $IP2 any -P in ipsec $ENCAP/transport//require;
spdadd $IP2 $IP1 any -P in ipsec $ENCAP/transport//require;
EOF