Crypto Transform Mode Commands
XSR CLI Reference Guide 14-115
Example
Thisexampledefinestwotransform‐sets,specifyingbothcanbeusedwithinacryptomapentry.
WhentrafficmatchesACL101,theSA canuseeithertransform‐setmy_t_set1(firstpriority)or
my_t_set2(secondpriority)depend ingonwhichtransform‐setmatchestheremotepeerʹs
transform‐sets.
XSR(config)#crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmac
XSR(config)#crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac
XSR(config)#crypto map ACMEmap 7 ipsec-isakmp
XSR(config-crypto-m)#match address 101
XSR(config-crypto-m)#set transform-set my_t_set1 my_t_set2
XSR(config-crypto-m)#set peer 10.0.0.1
Crypto Transform Mode Commands
crypto ipsec transform-set
Thiscommanddefinesatransform‐setwhichisanacceptablecombinationofsecurityprotocols
andalgorithmstoapplytoIP Securityprotectedtraffic.DuringIPSecSecurityAssociation(SA)
negotiation,peersagreetouseaparticulartransform‐setwhenprotectingaparticulardataflow.
ThiscommandacquiresCryptoTransformconfigurationMode.The
followingsub‐commandsare
availableinthismode:
•
set pfs ‐SpecifiesthatIPSecshouldaskforPFSwhenseekingnewSAsforthiscryptomap
entry,orthatIPSecrequiresPFSwhengettingrequestsfornewSAs.Refertopage14‐116
for
thecommanddefinition.
•
set security-association lifetime ‐SpecifiestheintervalusedwhennegotiatingIPSec
SAs.Refertopage14‐117forthecommanddefinition.
Atransform‐setisanacceptablecombination ofsecurityprotocols,algorithmsandothersettings
toapplytoIPSecurity‐protectedtraffic.DuringIPSecSAnegotiation,thepeersagreetousea
particulartransform‐set
whenprotectingaparticulardataflow.
Syntax
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
transform-
set-name
Nameofthetransform‐settocreateormodify.
transform1
Specifyupto3transformsdefiningtheIPSecsecurityprotocolsand
algorithms.Thechoicesare:
• ah‐md5‐hmac:AHtransformwithHMAC‐MD5algorithm.
• ah‐sha‐hmac:AHtransformwithHMAC‐SHAalgorithm.
• esp‐3des:ESPtransformwith56‐bitDESencryption(168 ‐bits).
• esp‐aes:ESPtransformwith
128‐bitAESencryption.
• esp‐des:ESPtransformwith168‐bitTripleDESencryption.
• esp‐md5‐hmac:ESPtransformwithHMAC‐MD5dataintegrityalgorithm.
• esp‐null:ESPtransformwithnoencryption.
• esp‐sha‐hmac:ESPtransformwithHMAC‐SHAdataintegrityalgorithm.