> I have one machine (flam, 192.168.0.11) connected to Wi-Fi access point (ap).
> Also I have laptop (chup, 192.168.0.22) connected to access point via
> radiointerface.  I want to organize ipsec between flam and chup.
> .....
> But nothing happened, I still can telnet from chup to flam.
> .....

ok, I've reduced my ipsec.confs to just:

# at chup (168.192.0.22)
add flam chup esp XXX -E 3des-cbc 0xXXX
add chup flam esp YYY -E 3des-cbc 0xYYY
spdadd 168.192.0.22 0.0.0.0/0 any -P out ipsec esp/tunnel/168.192.0.22-192.168.0.11/use ;
spdadd 0.0.0.0/0 168.192.0.22 any -P in ipsec esp/tunnel/192.168.0.11-168.192.0.22/require ;


# at flam (168.192.0.11)
add flam chup esp XXX -E 3des-cbc 0xXXX
add chup flam esp YYY -E 3des-cbc 0xYYY
spdadd 0.0.0.0/0 chup any -P out ipsec esp/tunnel/168.192.0.11-168.192.0.22/use ;
spdadd chup 0.0.0.0/0 any -P in ipsec esp/tunnel/168.192.0.22-168.192.0.11/require ; 


But now connection between flam and gado is lost.
And there is strange difference -- when I try to telnet flam from chup
I immediately get:
Trying 192.168.0.11...
telnet: Unable to connect to remote host: Connection refused

But when I try to telnet chup from flam it waits in Trying 192.168.0.22...

What do I do wrong??