Configuring Transform-Sets - Avaya G250 Administration

Configuring transform-sets

A transform-set defines the IKE phase 2 parameters. It specifies the encryption and
authentication algorithms to be used for, sets a security association lifetime, and specifies
whether PFS is enabled and which DH group it uses. In addition, it specifies the IPSec VPN
mode (tunnel or transport).
!
Important:
You must define at least one transform-set.
Important:
Note:
You can define up to 40 transform-sets.
Note:
1. Use the crypto ipsec transform-set command to enter the context of a
transform-set (and to create the transform-set if it does not exist). The command variables
include:
The name of the transform-set.
●
The encryption algorithm used by the transform-set. Possible values are esp-des,
●
esp-3des, esp-aes, esp-aes-192, esp-aes-256 and esp-null (no encryption).
The authentication algorithm used by the transform-set. Possible values are
●
esp-md5-hmac and esp-sha-hmac.
The IP compression algorithm used by the transform-set. The only possible value is
●
comp-lzs
G350-001# crypto ipsec transform-set ts1 esp-3des esp-md5-hmac comp-lzs
G350-001(config-transform:ts1)#
2. You can use the following commands to set the parameters of the transform-set:
Use the set pfs command to specify whether each IKE phase 2 negotiation
●
employs PFS (Perfect Forward Secrecy), and if yes, which Diffie-Hellman group to
employ. PFS ensures that even if someone were to discover the long-term secret(s),
the attacker would not be able to recover the session keys, both past and present. In
addition, the discovery of a session key compromises neither the long-term secrets nor
the other session keys. The default setting is no set pfs.
Use the set security-association lifetime seconds command to set the
●
security association lifetime in seconds.
Use the set security-association lifetime kilobytes command to set
●
the security association lifetime in kilobytes.
Configuring a site-to-site IPSec VPN
Issue 3 February 2007 457