HP-UX IPSec version A.02.00 Administrator's Guide
HP-UX IPSec and HP-UX Mobile IPv6
Configuration Overview
Chapter 7 209
Using Manual Keys
Mobile IPv6 uses manual key Security Associations (SAs). Manual key
SAs do not use IKE to generate and distribute encryption keys. Instead,
the administrator manually configures and distributes the encryption
keys.
Selecting Encryption Keys
You should configure strong, random, encryption keys for manual key
SAs. If you are using DES or 3DES encryption, and the key is not
sufficiently strong, ipsec_config reports an error messages similar to
one of the following:
Weak DES encryption key: 0x
hhhh
....
Weak 3DES encryption key: 0x
hhhh
....
Using the HP-UX Strong Random Number Generator
One way to generate strong encryption keys is using the HP-UX Strong
Random Number Generator product, available at no cost from the HP
Software Depot (http://software.hp.com). After you have installed the
HP-UX Strong Random Number Generator, you can generate a random
number and use the od utility to display an ASCII string of the
hexadecimal digits by executing the following command sequence:
od -Ax -N
nn
/dev/random
nn
is the number of bytes to extract from the random number generator.
For example, the following command extracts and displays a 24-byte
random number for a 3DES encryption key:
od -Ax -N24 /dev/random
Troubleshooting Manual Key Problems
Troubleshooting manual key problems can be difficult because there are
no IKE negotiations and no IKE audit messages. See Chapter 5, “Manual
Keys Fail” on page 178 for information on troubleshooting manual keys.
Configuration Procedure
Use the following procedure to configure HP-UX IPSec on a Mobile IPv6
Home Agent.