Table of Contents
Advertisement
The any keyword in a permit statement is discouraged when you have multicast traffic flowing through
the IPSec interface; the any keyword can cause multicast traffic to fail. The permit any any statement
is strongly discouraged, as this will cause all outbound traffic to be protected (and all protected traffic
sent to the peer specified in the corresponding crypto map entry) and will require protection for all
inbound traffic.
3. Define Transform Sets
A transform set represents a certain combination of security protocols and algorithms. During the IPSec
security association negotiation, the peers agree to use a particular transform set for protecting a
particular data flow.
You can specify multiple transform sets, and then specify one or more of these transform sets in a
crypto map entry.
During IPSec security association negotiations with IKE, the peers search for a transform set that is the
same at both peers. When such a transform set is found, it is selected and will be applied to the
protected traffic as part of both peers' IPSec security associations.
With manually established security associations, there is no negotiation with the peer, so both sides
must specify the same transform set.
If you change a transform set definition, the change is only applied to crypto map entries that reference
the transform set. The change will not be applied to existing security associations, but will be used in
subsequent negotiations to establish new security associations. If you want the new settings to take
effect sooner, you can clear all or part of the security association database by using the clear crypto sa
command.
To define a transform set, use the following commands starting in global configuration mode:
crypto
ipsec
transform-set-name
transform-type
[transform2[transform3]]
mode [tunnel | transport]
exit
[DEFAULT@Router /config/]#crypto
Key Word:
U(undo)
D(default)
(00)dynamic-map
(01)ipsec
(02)isakmp
(03)map
Please Input the code of command to be excute(0-3): 1
Key Word:
Q(quit)
(00)transform-set
(01)secure
Please Input the code of command to be excute(0-1): 0
Key Word:
Q(quit)
(00)WORD
Please Input the code of command to be excute(0-0): 0
Please input a string:dlink (Input Transform set name, here is only for example)
Will you excute it? (Y/N):y
Key Word:
Command
Defines a transform set and perform this command into the
transform-set
crypto transform configuration mode.
transform1
Configure transform type.
(Optional) Changes the mode associated with the transform
set. The mode setting is only applicable to traffic whose
source and destination addresses are the IPSec peer
addresses; it is ignored for all other traffic. (All other traffic is
in tunnel mode only.)
Exits the crypto transform configuration mode.
Q(quit)
Specify a dynamic crypto map template
Configure IPSEC policy
Configure ISAKMP policy
Enter a crypto map
Define transform and settings
Only allow secure ip packets
Transform set name
Model Name
Purpose
- 363 -
Hide quick links:
Advertisement
Table of Contents
