Selecting Appropriate Transforms; The Crypto Transform Configuration Mode; Changing Existing Transforms - Cisco SA-VAM - VPN Acceleration Module Installation And Configuration Manual

Chapter 4 Configuring the SA-VAM2+
ESP encapsulates the protected data—either a full IP datagram (or only the payload)—with an ESP
header and an ESP trailer. AH is embedded in the protected data; it inserts an AH header immediately
after the outer IP header and before the inner IP datagram or payload. Traffic that originates and
terminates at the IPSec peers can be sent in either tunnel or transport mode; all other traffic is sent in
tunnel mode. Tunnel mode encapsulates and protects a full IP datagram, while transport mode
encapsulates/protects the payload of an IP datagram. For more information about modes, refer to the
mode (IPSec)

Selecting Appropriate Transforms

The following tips may help you select transforms that are appropriate for your situation:
•
•
•
•
•
Note
•
Suggested transform combinations follow:
•
•

The Crypto Transform Configuration Mode

After you issue the crypto ipsec transform-set command, you are put into the crypto transform
configuration mode. While in this mode, you can change the mode to tunnel or transport. (These are
optional changes.) After you have made these changes, type exit to return to global configuration mode.
For more information about these optional changes, refer to the
(IPSec) command descriptions.

Changing Existing Transforms

If one or more transforms are specified in the crypto ipsec transform-set command for an existing
transform set, the specified transforms will replace the existing transforms for that transform set.
OL-5979-03
command description.
If you want to provide data confidentiality, include an ESP encryption transform.
If you want to ensure data authentication for the outer IP header as well as the data, include an AH
transform. (Some consider the benefits of outer IP header data integrity to be debatable.)
If you use an ESP encryption transform, also consider including an ESP authentication transform or
an AH transform to provide authentication services for the transform set.
If you want data authentication (either using ESP or AH) you can choose from the MD5 or SHA
(HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered
stronger than MD5 but is slightly slower.
Note that some transforms might not be supported by the IPSec peer.
If a user enters an IPSec transform that the hardware (the IPSec peer) does not support, a warning
message will be displayed immediately after the crypto ipsec transform-set command is
entered.
In cases where you need to specify an encryption transform but do not actually encrypt packets, you
can use the esp-null transform.
esp-aes and esp-sha-hmac
ah-sha-hmac and esp-aes and esp-sha-hmac
VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide
Configuration Tasks
match address (IPSec) and mode
4-7