Configuring Transform Sets - Cisco ISA550 Administration Manual

VPN
Configuring a Site-to-Site VPN
NOTE
STEP 1
STEP 2
STEP 3
STEP 4
Cisco ISA500 Series Integrated Security Appliances Administration Guide

Configuring Transform Sets

A transform set specifies the algorithms of integrity and encryption that the peer
will use to protect data communications. Two peers must use the same algorithm
to communicate.
Up to 16 transform sets can be configured on the security appliance.
Click VPN > Site-to-Site > Transform Policies.
The Transform Sets window opens. The default and custom transform sets are
listed in the table.
To add a new transform set, click Add.
Other options: To edit an entry, click the Edit (pencil) icon. To delete an entry, click
the Delete (x) icon. To delete multiple entries, check them and click Delete. The
default transform set (DefaultTrans) cannot be edited or deleted.
The Transform Set - Add/Edit window opens.
Enter the following information:
• Name: Enter the name for the transform set.
• Integrity: Choose the HASH algorithm used to ensure the data integrity. It
ensures that a packet comes from where it says it comes from, and that it has
not been modified in transit.
- ESP_SHA1_HMAC: Authentication with SHA1 (160-bit).
- ESP_MD5_HMAC: Authentication with MD5 (128-bit). MD5 has a smaller
digest and is considered to be slightly faster than SHA1. A successful (but
extremely difficult) attack against MD5 has occurred; however, the HMAC
variant that IKE uses prevents this attack.
• Encryption: Choose the symmetric encryption algorithm that protects data
transmission between two IPsec peers. The default is ESP_3DES. The
Advanced Encryption Standard supports key lengths of 128, 192, 256 bits.
- ESP_3DES: Encryption with 3DES (168-bit).
- ESP_AES_128: Encryption with AES (128-bit).
- ESP_AES_192: Encryption with AES (192-bit).
- ESP_AES_256: Encryption with AES (256-bit).
Click OK to save your settings.
8
301