I have one machine (flam, 192.168.0.11) connected to Wi-Fi access point (ap).
Also I have laptop (chup, 192.168.0.22) connected to access point via
radiointerface.  I want to organize ipsec between flam and chup.

I constructed following ipsec.conf on flam machine:

add flam chup esp XXX -E blowfish-cbc 0xXXX -A hmac-sha1 0xXXX ;
add flam chup ah XXX -A hmac-sha2-512 0xXXX ;
add flam chup ipcomp XXX -C deflate -R ;

add chup flam esp XXX -E blowfish-cbc 0xXXX -A hmac-sha1 0xXXX ;
add chup flam ah XXX -A hmac-sha2-512 0xXXX ;
add chup flam ipcomp XXX -C deflate -R ;

spdadd 168.192.0.11 chup any -P out ipsec ipcomp/tunnel/168.192.0.11-168.192.0.22/use esp/tunnel/168.192.0.11-168.192.0.22/use ah/tunnel/168.192.0.11-168.192.0.22/use ;
spdadd chup 168.192.0.11 any -P in ipsec ipcomp/tunnel/168.192.0.22-168.192.0.11/require esp/tunnel/168.192.0.22-168.192.0.11/require ah/tunnel/168.192.0.22-168.192.0.11/require ; 

I did setkey -f /etc/ipsec.conf on flam.  And I did nothing on chup.
So my expectations were that require policy above will prevent further
communication between flam and chup.

But nothing happened, I still can telnet from chup to flam.
(Also I tried to change 168.192.0.22 to IP-address of access point
 in the require policy.  Does not help either.)

What do I do wrong??