Transform Sets; Global Lifetimes For Ipsec Security Associations - Cisco IOS XR Configuration Manual

Information About Implementing IPSec Networks
Crypto access lists associated with IPSec crypto profile entries have four primary functions:
•
•
•
•
If you want certain traffic to receive one combination of IPSec protection (for example, authentication
only) and other traffic to receive a different combination of IPSec protection (for example, both
authentication and encryption), you need to create two different crypto access lists to define the two
different types of traffic.

Transform Sets

A transform set represents a certain combination of security protocols and algorithms. During the IPSec
SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow.
You can specify multiple transform sets and then one or more of these transform sets in a crypto profile
entry. The transform set defined in the crypto profile entry is used in the IPSec SA negotiation to protect
the data flows specified by that crypto profile entry's access list.
During IPSec SA negotiations with IKE, the peers search for a transform set that is the same at both
peers. When such a transform set is found, it is selected and applied to the protected traffic as part of
both peers' IPSec SAs.
If you change a transform set definition, the change is applied only to crypto profile entries that reference
the transform set. The change will not be applied to existing SAs, but is used in subsequent negotiations
to establish new SAs. If you want the new settings to take effect sooner, you can clear all or part of the
SA database by using the clear crypto ipsec sa command.

Global Lifetimes for IPSec Security Associations

You can change the global lifetime values that are used when negotiating new IPSec SAs.
Two lifetimes exist: a "timed" lifetime and "traffic-volume" lifetime. An SA expires after the first of
these lifetimes is reached. The default lifetimes are 3600 seconds (1 hour) and 4,194,303 kilobytes (10
MBps for 1 hour).
In addition, a lifetime per profile is supported. If a profile is configured with a lifetime, it is overriding
the global definition.
If you change a global lifetime, the new lifetime value is not applied to currently existing SAs, but is
used in the negotiation of subsequently established SAs. If you want to use the new values immediately,
you can clear all or part of the SA database. See the clear crypto ipsec sa command for more details.
IPSec SAs use one or more shared secret keys. These keys and their SAs time out together.
Cisco IOS XR System Security Configuration Guide
SC-96
Select outbound traffic to be protected by IPSec (permit = protect).
Indicate the data flow to be protected by the new SAs (specified by a single permit entry) when
initiating negotiations for IPSec SAs.
Process inbound traffic to filter and discard traffic that should have been protected by IPSec.
Determine whether to accept requests for IPSec SAs on behalf of the requested data flows when
processing IKE negotiation from the IPSec peer. (Negotiation is done only for ipsec-isakmp crypto
profile entries.) To be accepted, if the peer initiates the IPSec negotiation, it must specify a data flow
that is "permitted" by a crypto access list associated with an ipsec-isakmp crypto profile entry.
Implementing IPSec Network Security on Cisco IOS XR Software