IPsec query: Configuring on-the-fly from unprivileged userspace

Well, I’m not sure where to ask this, I did ask on the netdev mailing list and while I don’t think it’ll get ignored indefinitely, I’m not sure that was the right place.  A stab in the dark if you will.  In the hope of netting more answers though, I cast this query into the blogosphere…

I’ve been toying with the idea of a small multicast VoIP/digital comms protocol for use over wireless radio links. The typical use case might be to replace UHF FM radio transceivers with modern smart phones, using multicast IPv6 networking over 802.11b. (It will have other modes too, transmission over amateur radio bands for instance.)

In some commercial settings, or over the Internet, it’d be great for traffic to be authenticated using HMAC-SHA1 or even encrypted. Looking at IPsec, I see it provides exactly this. My thought, why re-invent the
wheel when a solution may already exist?

The question though: Is it possible for a userspace application (non-privileged) to request that the UDP packets it generates/receives from/to a particular address be encrypted or hashed against a specified key?

i.e. if I decide to communicate with someone on the same wireless link, and by means of asymmetric crypto at higher layers we establish a shared AES key, can I configure the stack for traffic between these two hosts
on-the-fly and without root privileges?