Step 2 Configure the IPsec Transform Sets

The configuration of the IPsec transform sets actually covers three of the IPsec configuration steps mentioned earlier. The IPsec transform set, crypto ACL, and crypto map are tightly woven together. It is difficult to talk about one of them without mentioning the other two. Thus, this section covers all three together.

The following list is a reminder of the IPsec security parameters that are negotiated between peers:

■ IPsec authentication (MD5 or SHA-1)

■ IPsec mode (tunnel or transport)

■ IPsec SA lifetime (seconds or kilobytes)

Figure 13-7 shows how these IPsec parameters are configured.

Figure 13-7 IPsec Transform Set Configuration

Figure 13-7 IPsec Transform Set Configuration

crypto ipsec transform-set set-60

esp-des esp-sha-hmac mode tunnel crypto ipsec transform-set set-70

esp-3des esp-sha-hmac mode tunnel crypto ipsec security-association lifetime seconds 1800

crypto ipsec transform-set set-55

esp-3des esp-sha-hmac mode tunnel crypto ipsec transform-set set-65

esp-3des esp-md5-hmac mode tunnel crypto ipsec security-association lifetime seconds 1800

¡access-list 170 permit

^ | access-list 155 permit

crypto map to-central 70 ipsec-isakmp set peer match address 170 set transform-set set-70

crypto map to-remote 55 ipsec-isakmp set peer match address 155 set transform-set set-55

Earlier, Figure 13-5 showed the generic IPsec transform set attributes. Figure 13-7 now shows how each of those parameters is configured in Cisco IOS.

Each IPsec endpoint defines one or more IPsec transform sets. In this case, set-60, set-70, set-55, and set-65 can be compared to the IPsec transform sets shown earlier in Figure 13-5. These names only have local significance to the IPsec peering process. The IPsec transform set defines all of the IPsec security parameters mentioned above. The terms esp-3des and esp-sha-hmac define ESP as the IPsec protocol, versus AH. Table 13-2 displays the relevant IPsec transform sets for this certification.

Table 13-2 IPsec Transform Sets

Transform Type

IOS Transform


AH Transform


AH with MD5 authentication


AH with SHA authentication

ESP Encryption Transform


ESP with 128-bit AES encryption

esp-aes 192

ESP with 192-bit AES encryption

esp-aes 256

ESP with 256-bit AES encryption


ESP with 56-bit DES encryption


ESP with 168-bit DES encryption

ESP Authentication Transform


ESP with MD5 authentication


ESP with SHA authentication

The crypto ipsec transform-set command is used to select an AH transform, an ESP encryption transform, and/or an ESP authentication transform. Only one IOS transform from each transform type may be selected. Figure 13-7 shows the use of an ESP encryption transform and an ESP authentication transform. Not all three transform types must be used when configuring the IPsec tunnel.

Within the solid circles in Figure 13-7, esp-3des defines the encryption algorithm, while esp-sha-hmac defines the authentication algorithm. These parameters must be the same for both peers. Within the IPsec transform set, the IPsec mode can be configured. Here, tunnel mode is selected. Remember that transport mode is the alternate. Tunnel mode is the default in IOS, so it would not appear in the configuration file.

In the dotted circles, the crypto ipsec security-association CLI command permits the SA lifetime to be configured. In Figure 13-7, the lifetime is configured to 30 minutes.

Was this article helpful?

+1 0

Post a comment