Transform Set Negotiation

FîouttrtS

tnnïtDrm t J- o l-unnel rraJisfoim -soi 2D

transform si-t It)

esp 3d«, ütfi ihA hum uinmt tfümlmn ■ sei W FïP-lf» Jin -4hfl -hffljC lüniud r-i

• Transform sets are negotiated during IKE Phase 2.

tmul tfümlmn ■ sei W FïP-lf» Jin -4hfl -hffljC lüniud

© 2004 Cisco Systems, Inc. All rights re bcran v2.1—5-4

Transform sets are negotiated during quick mode in IKE Phase 2 using the transform sets that you previously configured. You can configure multiple transform sets and then specify one or more of the transform sets in a crypto map entry. Configure the transforms from most to least secure, according to your policy. The transform set defined in the crypto map entry is used in the IPSec SA negotiation to protect the data flows that are specified by the ACL of that crypto map entry.

During the negotiation, the peers search for a transform set that is the same at both peers, as illustrated in the figure. Each of the RouterA transform sets are compared against each of the RouterB transform sets in succession. RouterA transform sets 10, 20, and 30 are compared with RouterB transform set 40. The result is no match. All of RouterA transform sets are then compared against RouterB transform sets. Finally, RouterA transform set 30 matches RouterB transform set 60. When such a transform set match is found, it is selected and is applied to the protected traffic as part of the IPSec SAs of both peers. IPSec peers agree on one unidirectional transform proposal per SA.

0 0

Post a comment