Define Transform Sets; Selecting Appropriate Transform Sets; Configuring Transform-Set Using Cli - Motorola WS5100 Series Migration Giude

• ESP Authentication Transform — esp - md5 - hmac, esp - sha - hmac
NOTE: You can also configure the mode for data traffic. AH and ESP authentication
cannot be used together. The mode for data traffic can be either
• Transport — This mode protects only the payload of an IP datagram.
• Tunnel — This mode protects a full IP datagram.

11.3.3.1 Define Transform Sets

A transform represents a certain combination of security protocols - AH and ESP and algorithms - encryption
and authentication type. During the IPSec security association negotiation, the peers agree to use a
particular transform for protecting data flow.
Both the AH and ESP protocols implement security services for IPSec. AH provides data authentication and
anti-replay services. ESP provides packet encryption and optional data authentication and anti-replay
services.
ESP encapsulates the protected data-either a full IP datagram (or only the payload)-with an ESP header and
an ESP trailer. AH is embedded in the protected data; it inserts an AH header immediately after the outer IP
header and before the inner IP datagram or payload. Traffic that originates and terminates at the IPSec peers
can be sent in either tunnel or transport mode; all other traffic is sent in tunnel mode. Tunnel mode
encapsulates and protects a full IP datagram, while transport mode encapsulates or protects the payload of
an IP datagram.

11.3.3.2 Selecting Appropriate Transform Sets

The following tips may help you select transform sets that are appropriate for your situation:
• If you want to provide data confidentiality, include an ESP encryption transform set.
• If you want to ensure data authentication for the outer IP header as well as the data, include an AH
transform set. (Some consider the benefits of outer IP header data integrity to be debatable.)
• If you use an ESP encryption transform set, also consider including an ESP authentication transform set.
• If you want data authentication (either using ESP or AH), you can choose from the MD5 or SHA (HMAC
keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than
MD5 but is slower.
Some transform sets might not be supported by the IPSec peer. With manually established security
associations, there is no negotiation with the peer, so both sides must specify the same transform set.
If you change a transform set definition, the change is only applied to crypto map entries that reference the
transform set. Any change done on the transform-set will delete the existing SA's.

11.3.3.3 Configuring transform-set using CLI

To create a transform sets that specifies how traffic is to be protected in the Crypto ACL.,follow the CLI
commands mentioned below:
1. Create an IPSec transform set by selecting the security protocol.
WS5100(config)# crypto ipsec transform-set <name> esp-3des
11-7
VPN