# based on
http://www.ipsec-howto.org/x304.html
key() ( bits=$1; dd if=/dev/random count=$((bits/8)) bs=1| xxd -ps )
host1=2001:16e8:ff4e::1
host2=2001:16e7:cd3c::223:77ff:fe18:1421
cat > setkey.conf <
#!/usr/sbin/setkey -f
# Configuration for $host1
# Flush the SAD and SPD
flush;
spdflush;
# set the authentication header
# AH SAs using 128 bit long keys
add $host2 $host1 ah 0x200 -A hmac-md5 0x$(key 128);
add $host1 $host2 ah 0x300 -A hmac-md5 0x$(key 128);
# ESP SAs using 192 bit long keys (168 + 24 parity)
add $host2 $host1 esp 0x201 -E 3des-cbc 0x$(key 192);
add $host1 $host2 esp 0x301 -E 3des-cbc 0x$(key 192);
# Security policies
spdadd $host2 $host1 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd $host1 $host2 any -P in ipsec
esp/transport//require
ah/transport//require;
EOF
sudo setkey -f setkey.conf
# copy setkey.conf to the other computer (host2),
# and on the other computer swap the '-P in' and '-P out'
# in the spdadd and run the sudo setkey -f setkey.conf
# WARNING! You will not be able to contact the other
# computer if only one of them has enabled the IPSec rules
# with setkey.