Configure a Router with IPSec Using Pre-shared Keys
Step 1 – Configure transform set suites

A transform set represents a certain combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow.

Multiple transform sets can be specified, and then one or more of these transform sets can be specified in a crypto map entry. The transform set defined in the crypto map entry will be used in the IPSec security association negotiation to protect the data flows specified by the ACL in that crypto map entry.

During IPSec security association negotiations with IKE, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of the IPSec security associations of both peers.

With manually established security associations, there is no negotiation with the peer, so both sides must specify the same transform set.

If a transform set definition is changed, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. To force the new settings to take effect sooner, all or part of the security association database can be cleared by using the clear crypto sa command.

To define a transform set, use the commands shown in Figure starting in global configuration mode . The steps shown in Figure can be used to edit a transform set.

Transform Set Negotiation
Transform sets are negotiated during quick mode in IKE phase two using the transform sets that were previously configured. Configure the transforms from most to least secure as dictated by the security policy. The transform set defined in the crypto map entry is used in the IPSec SA negotiation to protect the data flows specified by the ACL in that crypto map entry.

During the negotiation, the peers search for a transform set that is the same at both peers as illustrated in Figure . Each of transform sets on Router A are compared against each of the transform sets on Router B in succession. The transform sets 10, 20, and 30 on Router A are compared with the transform set 40 on Router B. The result is no match. All of the transform sets on Router A are then compared against the transform on Router B. Ultimately, the transform set 30 on Router A matches the transform set 60 on Router B. When such a transform set is found, it is selected and is applied to the protected traffic as part of the IPSec SA of both peers. IPSec peers agree on one transform proposal per SA in unidirectional manner.