Example
This example defines two transform‐sets, specifying both can be used within a crypto map entry.
When traffic matches ACL 101, the SA can use either transform‐set my_t_set1 (first priority) or
my_t_set2 (second priority) depending on which transform‐set matches the remote peerʹs
transform‐sets.
XSR(config)#crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmac
XSR(config)#crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac
XSR(config)#crypto map ACMEmap 7 ipsec-isakmp
XSR(config-crypto-m)#match address 101
XSR(config-crypto-m)#set transform-set my_t_set1 my_t_set2
XSR(config-crypto-m)#set peer 10.0.0.1
Crypto Transform Mode Commands
crypto ipsec transform-set
This command defines a transform‐set which is an acceptable combination of security protocols
and algorithms to apply to IP Security protected traffic. During IPSec Security Association (SA)
negotiation, peers agree to use a particular transform‐set when protecting a particular data flow.
This command acquires Crypto Transform configuration Mode. The following sub‐commands are
available in this mode:
•
set pfs
entry, or that IPSec requires PFS when getting requests for new SAs. Refer to page 14‐116
the command definition.
set security-association lifetime
•
SAs. Refer to page 14‐117 for the command definition.
A transform‐set is an acceptable combination of security protocols, algorithms and other settings
to apply to IP Security‐protected traffic. During IPSec SA negotiation, the peers agree to use a
particular transform‐set when protecting a particular data flow.
Syntax
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
transform-
set-name
transform1
‐ Specifies that IPSec should ask for PFS when seeking new SAs for this crypto map
Name of the transform‐set to create or modify.
Specify up to 3 transforms defining the IPSec security protocols and
algorithms. The choices are:
•
ah‐md5‐hmac: AH transform with HMAC‐MD5 algorithm.
•
ah‐sha‐hmac: AH transform with HMAC‐SHA algorithm.
•
esp‐3des: ESP transform with 56‐bit DES encryption (168‐bits).
•
esp‐aes: ESP transform with 128‐bit AES encryption.
•
esp‐des: ESP transform with 168‐bit Triple DES encryption.
•
esp‐md5‐hmac: ESP transform with HMAC‐MD5 data integrity algorithm.
•
esp‐null: ESP transform with no encryption.
•
esp‐sha‐hmac: ESP transform with HMAC‐SHA data integrity algorithm.
‐ Specifies the interval used when negotiating IPSec
Crypto Transform Mode Commands
XSR CLI Reference Guide 14-115
for