crypto ipsec transform-set

Use this command to configure a transform set that defines protocols and algorithm settings to apply to IPSec protected traffic.

During the IPSec security association negotiation, the peers agree to use a particular transform-set to be used for protecting a particular data flow.

Several transform-sets can be specified and associated with a crypto map entry.

A transform set defines the IPSec security protocols: Encapsulation Security Protocol (ESP) or Authentication Header (AH), and also specifies which algorithms to use with the selected security protocol.

Command Syntax

Copy 
crypto ipsec transform-set NAME
crypto ipsec transform-set NAME ah (none|ah-md5|ah-sha1|ah-sha256|ah-sha384|ah-sha512)
crypto ipsec transform-set NAME esp-auth (none|esp-md5|esp-sha1|esp-sha256|esp-sha384|esp-sha512) esp-enc (esp-null|esp-3des|esp-aes|esp-aes192|esp-aes256|esp-blf|esp-blf192|esp-blf256|esp-cast)
crypto ipsec transform-set NAME mode (transport)
no crypto ipsec transform-set NAME mode
no crypto ipsec transform-set NAME

Parameters

NAME

Name of the transform set.

mode

Change the transform-set mode to tunnel or transport.

transport

The payload (data) of the original IP packet is protected.

ah

Authentication Header protocol provides data authentication.

none

No authentication.

ah-md5

Authentication Header with Message Digest 5 (MD5) Hashed Message Authentication Code (HMAC) variant.

ah-sha1

Authentication Header with Secure Hash Algorithm 1 (SHA-1) Hashed Message Authentication Code (HMAC) variant.

ah-sha256

Authentication Header with Secure Hash Algorithm 256 (SHA-256) Hashed Message Authentication Code (HMAC) variant.

ah-sha384

Authentication Header with Secure Hash Algorithm 384 (SHA-384) Hashed Message Authentication Code (HMAC) variant.

ah-sha512

Authentication Header with Secure Hash Algorithm 512 (SHA-512) Hashed Message Authentication Code (HMAC) variant.

esp-auth

Encapsulating Security Payload authentication protocol provides data authentication.

none

No authentication.

esp-md5

Encapsulating Security Payload with Message Digest 5 (MD5) Hashed Message Authentication Code (HMAC) variant.

esp-sha1

Encapsulating Security Payload with Secure Hash Algorithm 1 (SHA-1) Hashed Message Authentication Code (HMAC) variant.

esp-sha256

Encapsulating Security Payload with Secure Hash Algorithm 256 (SHA-256) Hashed Message Authentication Code (HMAC) variant.

esp-sha384

Encapsulating Security Payload with Secure Hash Algorithm 384 (SHA-384) Hashed Message Authentication Code (HMAC) variant.

esp-sha512

Encapsulating Security Payload with Secure Hash Algorithm 512 (SHA-512) Hashed Message Authentication Code (HMAC) variant.

esp-enc

Encapsulating Security Payload encryption protocol

esp-null

Encapsulating Security Payload null encryption.

esp-3des

Encapsulating Security Payload with 168-bit DES encryption (3DES or Triple DES).

esp-aes

Alternative AES.

esp-aes192

Alternative AES192.

esp-aes256

Alternative AES256.

esp-blf

Alternative Blowfish.

esp-blf192

Alternative Blowfish192.

esp-blf256

Alternative Blowfish256.

esp-cast

Alternative Cast (IKEv1 not supported).

Command Mode

Command mode

Applicability

This command is introduced in OcNOS version 6.0.0

Example

Copy 
#configure terminal
(config)#crypto ipsec transform-set TEST_ESP esp-auth esp-md5 esp-enc esp-3des
(config)#crypto ipsec transform-set TEST_AH ah ah-sha512