Crypto Transform Mode Commands
XSR CLI Reference Guide 14-115
Example
Thisexampledefinestwotransformsets,specifyingbothcanbeusedwithinacryptomapentry.
WhentrafficmatchesACL101,theSAcanuseeithertransformsetmy_t_set1(firstpriority)or
my_t_set2(secondpriority)dependingonwhichtransformsetmatchestheremotepeerʹs
transformsets.
XSR(config)#crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmac
XSR(config)#crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac
XSR(config)#crypto map ACMEmap 7 ipsec-isakmp
XSR(config-crypto-m)#match address 101
XSR(config-crypto-m)#set transform-set my_t_set1 my_t_set2
XSR(config-crypto-m)#set peer 10.0.0.1

Crypto Transform Mode Commands

crypto ipsec transform-set

Thiscommanddefinesatransformsetwhichisanacceptablecombinationofsecurityprotocols
andalgorithmstoapplytoIPSecurityprotectedtraffic.DuringIPSecSecurityAssociation(SA)
negotiation,peersagreetouseaparticulartransformsetwhenprotectingaparticulardataflow.
ThiscommandacquiresCryptoTransformconfigurationMode.Thefollowingsubcommandsare
availableinthismode:
set pfs ‐SpecifiesthatIPSecshouldaskforPFSwhenseekingnewSAsforthiscryptomap
entry,orthatIPSecrequiresPFSwhengettingrequestsfornewSAs.Refertopage14116for
thecommanddefinition.
set security-association lifetime ‐SpecifiestheintervalusedwhennegotiatingIPSec
SAs.Refertopage14117forthecommanddefinition.
Atransformsetisanacceptablecombinationofsecurityprotocols,algorithmsandothersettings
toapplytoIPSecurityprotectedtraffic.DuringIPSecSAnegotiation,thepeersagreetousea
particulartransformsetwhenprotectingaparticulardataflow.
Syntax
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
transform-
set-name
Nameofthetransformsettocreateormodify.
transform1 Specifyupto3transformsdefiningtheIPSecsecurityprotocolsand
algorithms.Thechoicesare:
ahmd5hmac:AHtransformwithHMACMD5algorithm.
ahshahmac:AHtransformwithHMACSHAalgorithm.
esp3des:ESPtransformwith56bitDESencryption(168bits).
espaes:ESPtransformwith128bitAESencryption.
espdes:ESPtransformwith168bitTripleDESencryption.
espmd5hmac:ESPtransformwithHMACMD5dataintegrityalgorithm.
espnull:ESPtransformwithnoencryption.
espshahmac:ESPtransformwithHMACSHAdataintegrityalgorithm.