A transform set represents a certain combination of security
protocols and algorithms. During the IPSec security association negotiation,
the peers agree to use a particular transform set for protecting a particular
data flow.
Multiple transform sets can be specified, and then one or more of these
transform sets can be specified in a crypto map entry. The transform set
defined in the crypto map entry will be used in the IPSec security association
negotiation to protect the data flows specified by the ACL in that crypto map
entry.
During IPSec security association negotiations with IKE, the
peers search for a transform set that is the same at both peers. When such a
transform set is found, it is selected and will be applied to the protected
traffic as part of the IPSec security associations of both peers.
With
manually established security associations, there is no negotiation with the
peer, so both sides must specify the same transform set.
If a transform
set definition is changed, the change is only applied to crypto map entries
that reference the transform set. The change will not be applied to existing
security associations, but will be used in subsequent negotiations to establish
new security associations. To force the new settings to take effect sooner, all
or part of the security association database can be cleared by using the
clear crypto sa command.
To define a transform set,
use the commands shown in Figure
starting in
global configuration mode
. The
steps shown in Figure
can be used to
edit a transform set.
Transform Set Negotiation
Transform sets are negotiated during
quick mode in IKE phase two using the transform sets that were previously
configured. Configure the transforms from most to least secure as dictated by
the security policy. The transform set defined in the crypto map entry is used
in the IPSec SA negotiation to protect the data flows specified by the ACL in
that crypto map entry.
During the negotiation, the peers search for a
transform set that is the same at both peers as illustrated in Figure
. Each of
transform sets on Router A are compared against each of the transform sets on
Router B in succession. The transform sets 10, 20, and 30 on Router A are
compared with the transform set 40 on Router B. The result is no match. All of
the transform sets on Router A are then compared against the transform on
Router B. Ultimately, the transform set 30 on Router A matches the transform
set 60 on Router B. When such a transform set is found, it is selected and is
applied to the protected traffic as part of the IPSec SA of both peers. IPSec
peers agree on one transform proposal per SA in unidirectional manner.