Defining a Transform Set
A transform set is a set of ambit for a specific IPsec affiliation (for an IPsec
SA, to be precise). It specifies the algorithms acclimated for AH and ESP protocols and
the approach (tunnel or transport) in which they are applied. It is accessible to configure
many altered transform sets, but there charge be one set aggregate by both
gateways for anniversary crypto map access so that they can accede on a accepted set of
parameters.Transform sets are configured application the afterward command:
crypto ipsec transform-set
[
On the PIX firewall, the absence is to use adit mode.Transport approach is
available alone back application the L2TP agreement and is configured application the following
command:
crypto ipsec transform-set
It is accessible to configure up to three transforms in a distinct set: aught or one
AH transforms and zero, one, or two ESP transforms.When two ESP transforms
are configured, one of them charge be an encrypted transform and the added an
authentication transform.The accessible transforms are:
ah-md5-hmac The MD5-HMAC affidavit algorithm is chosen
for AH.
www.syngress.com
Configuring Virtual Private Networking • Chapter 7 365
ah-sha-hmac The SHA-1-HMAC affidavit algorithm is chosen
for AH.
esp-des The DES encryption algorithm (56-bit key) is called for ESP
encryption.
esp-3des The Triple DES encryption algorithm (168-bit key) is chosen
for ESP encryption.
esp-md5-hmac The MD5-HMAC affidavit algorithm is chosen
for ESP.
esp-sha-hmac The SHA-1-HMAC affidavit algorithm is chosen
for ESP.
In our example, we use ESP encryption with DES and affidavit with
SHA-1-HMAC after AH:
PIX1(config)# crypto ipsec transform-set myset esp-des esp-sha-hmac
PIX2(config)# crypto ipsec transform-set myset esp-des esp-sha-hmac
Configured transform sets can be arrested application the appearance crypto ipsec
transform-set command:
PIX1(config)# appearance crypto ipsec transform-set
Transform set myset: { esp-des esp-sha-hmac }
will accommodate = { Tunnel, },