I'm lost in the land of ipsec. I've done the following:

# setkey -f /etc/setkey.conf

/etc/setkey.conf contains:

flush ;
add 140.174.88.0/24 140.174.88.0/24 any 9999 -p esp -E des-cbc "2c3abcba" 
                     -A hmac-md5 "2c3abcba2c3abcba" ;

# setkey -D 
140.174.88.0/24[0] 140.174.88.0/24[0] any 
        esp spi=9999(0x0000270f) replay=0 flags=0x00000000
        E: des-cbc  32633361 62636261
        A: hmac-md5  32633361 62636261 32633361 62636261
        state=mature seq=0 pid=14679
        created: Jul 29 13:55:05 1999   current: Jul 29 13:55:10 1999
        diff: 5(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        dir=bi-direction refcnt=1

Then I telnet to myself:

$ telnet -P "ipsec esp" 140.174.88.1

The console prints out:
 IPv4 ESP input: no key association found for spi 9999;dropping the packet for simplicity

I'm clearly in need of another clue.  What exactly doesn't it like and
how do I fix it?  I thought the "2c3abcba" was the key and it was
clearly associated with spi 9999.  

The same thing happens under ipv6.  I'm running a kernel with the
stock ipsec config from GENERIC.v6 and a "domestic" user-land.  This
is all on recent -current (7/21).

-wolfgang
-- 
       Wolfgang Rupprecht <wolfgang+gnus@dailyplanet.wsrcc.com>
		    http://www.wsrcc.com/wolfgang/
DGPS signals via the Internet  http://www.wsrcc.com/wolfgang/gps/dgps-ip.html