HP-UX IPSec version A.02.01 Administrator's Guide
HP-UX IPSec and HP-UX Mobile IPv6
Configuration Overview
Appendix F286
Figure F-4 Gateway IPsec Policies
Configuring Manual Keys
If the Mobile IPv6 client does not support IKE, you must use manual key
Security Associations (SAs). Manual key SAs do not use IKE to generate
and distribute encryption keys. Instead, the administrator manually
configures and distributes the encryption keys.
Manual Key SA Format
You specify information for manual key SAs with -in and -out
statements in host and tunnel policies:
-in
manual_key_sa_specification
-out
manual_key_sa_specification
The format for
manual_key_sa_specification
is:
ESP/
spi
/
auth_key
/
enc_key
[/
iv
]
ESP indicates the transform is an ESP transform. For Mobile IPv6, you
must use an authenticated ESP transform with non-null encryption and
authentication methods.
spi
is the decimal or hexadecimal (prefixed by 0x) Security Parameters
Index (SPI) number, used to identify the Security Association (SA). The
inbound SPI must be unique on the local system for all ESP SAs, outside
the range of dynamic SPI numbers, and match the outbound SPI on the
remote system. The outbound SPI must match the inbound SPI on the
remote system.