All Cisco-Network Study Notes: Defining a Transform Set

Defining a Transform Set

A transform set is a set of ambit for a specific IPsec affiliation (for an IPsec

SA, to be precise). It specifies the algorithms acclimated for AH and ESP protocols and

the approach (tunnel or transport) in which they are applied. It is accessible to configure

many altered transform sets, but there charge be one set aggregate by both

gateways for anniversary crypto map access so that they can accede on a accepted set of

parameters.Transform sets are configured application the afterward command:

crypto ipsec transform-set [

[]]

On the PIX firewall, the absence is to use adit mode.Transport approach is

available alone back application the L2TP agreement and is configured application the following

command:

crypto ipsec transform-set approach transport

It is accessible to configure up to three transforms in a distinct set: aught or one

AH transforms and zero, one, or two ESP transforms.When two ESP transforms

are configured, one of them charge be an encrypted transform and the added an

authentication transform.The accessible transforms are:

ah-md5-hmac The MD5-HMAC affidavit algorithm is chosen

for AH.

www.syngress.com

Configuring Virtual Private Networking • Chapter 7 365

ah-sha-hmac The SHA-1-HMAC affidavit algorithm is chosen

for AH.

esp-des The DES encryption algorithm (56-bit key) is called for ESP

encryption.

esp-3des The Triple DES encryption algorithm (168-bit key) is chosen

for ESP encryption.

esp-md5-hmac The MD5-HMAC affidavit algorithm is chosen

for ESP.

esp-sha-hmac The SHA-1-HMAC affidavit algorithm is chosen

for ESP.

In our example, we use ESP encryption with DES and affidavit with

SHA-1-HMAC after AH:

PIX1(config)# crypto ipsec transform-set myset esp-des esp-sha-hmac

PIX2(config)# crypto ipsec transform-set myset esp-des esp-sha-hmac

Configured transform sets can be arrested application the appearance crypto ipsec

transform-set command:

PIX1(config)# appearance crypto ipsec transform-set

Transform set myset: { esp-des esp-sha-hmac }

will accommodate = { Tunnel, },