Cisco CRS-1 - Carrier Routing System Router Configuration Manual page 108

Configuration Examples for Implementing IPSec Network Security for Locally Sourced and Destined Traffic
crypto ipsec transform-set myset2
transform esp-des esp-sha
Another transform set example is myset3, which uses 3DES encryption and MD5 (HMAC variant) for
data packet authentication:
crypto ipsec transform-set myset3
transform esp-3des esp-md5-hmac
A dynamic crypto profile named toRemoteSite is created and joins the IPSec access list and transform
set:
crypto ipsec profile toRemoteSite
The toRemoteSite profile is applied to a tunnel-ipsec interface:
interface tunnel-ipsec0
The tunnel destination is not required when the profile is dynamic.
Configuring a Static Profile and Attaching to Transport: Example
The following example shows a minimal IPSec configuration in which a static profile is created and
attached to a transport.
An IPSec access list named sample3 defines which traffic to protect:
ipv4 access-list sample3 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255
A transform set defines how the traffic is protected. In this example, transform set myset1 uses DES
encryption and SHA for data packet authentication:
crypto ipsec transform-set myset1
transform esp-des esp-sha
Another transform set example is myset2, which uses 3DES encryption and the MD5 (HMAC variant)
for data packet authentication:
crypto ipsec transform-set myset2
transform esp-3des esp-md5-hmac
A crypto profile named toRemoteSite is created and joins the IPSec access list and transform set:
crypto ipsec profile toRemoteSite
The toRemoteSite profile is applied to a transport:
crypto ipsec transport
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
SC-102
match sample2 transform-set myset3
set type dynamic
end
profile toRemoteSite
tunnel source 10.0.0.2
match sample3 transform-set myset2
end
profile toRemoteSite
end
Implementing IPSec Network Security on Cisco IOS XR Software
OL-20382-01