Configuring transform-sets

Last Updated : Feb 21, 2024 |

About this task

A transform-set defines the IKE phase 2 parameters. It specifies the encryption and authentication algorithms to be used, sets a security association lifetime, and specifies whether PFS is enabled and which DH group it uses. In addition, it specifies the IPSec VPN mode (tunnel or transport).

Note:

You can define up to 40 transform-sets.

Important:

Define at least one transform-set.

Procedure

  1. Use the crypto ipsec transform-set command to enter the context of a transform-set (and to create the transform-set if it does not exist).

    The command variables include:

    • The name of the transform-set

    • The encryption algorithm used by the transform-set. Possible values are esp-aes, esp-aes-192, esp-aes-256 and esp-null (no encryption).

    • The authentication algorithm used by the transform-set. Possible values are esp-md5-hmac and esp-sha-hmac.

    • The IP compression algorithm used by the transform-set. The only possible value is comp-lzs.

    For example:

    crypto ipsec transform-set ts1 esp-aes esp-sha-hmac comp-lzs
  2. You can use the following commands to set the parameters of the transform-set:

    • Use the set pfs command to specify whether each IKE phase 2 negotiation employs Perfect Forward Secrecy (PFS), and if yes, which Diffie-Hellman group to employ. PFS ensures that even if someone were to discover the long-term secret(s), the attacker would not be able to recover the session keys, both past and present. In addition, the discovery of a session key compromises neither the long-term secrets nor the other session keys. The default setting is no set pfs.

    • Use the set security-association lifetime seconds command to set the security association lifetime in seconds.

    • Use the set security-association lifetime kilobytes command to set the security association lifetime in kilobytes.

    • Use the mode command to set the IPSec mode (tunnel or transport). Transport mode does not add an additional IP header (i.e., a tunnel header), but rather uses the original packet’s header. However, it can be used only when the VPN tunnel endpoints are equivalent to the original packet’s source and destination IP addresses. This is generally the case when using GRE over IPSec. Note that transport mode cannot be used unless the remote VPN peer supports that mode and was configured to use it.

      Gxxx-001001(config-transform:ts1ts1)# set pfs group2
Done!
Gxxx-001(config-transform:ts1)# set security-association lifetime seconds 
7200
Done!
Gxxx-001(config-transform:ts1)# set security-association lifetime 
kilobytes 268435456
Gxxx-001(config-transform:ts1)# mode tunnel
Done!
  3. Exit the crypto transform-set context with the exit command. 
    Gxxx-001(config-transform:ts1)# exit
Gxxx-001#
Related information
Site-to-site IPSec VPN