crypto ipsec transform-set
This command, when used in global configuration mode, defines a transform set as acceptable combination of security protocols and algorithms for IPSec encapsulating security payload (ESP). To delete a transform set, use the no form of this command.
Syntax
crypto ipsec transform-set <transform-set-name> <transform> <transform> no crypto ipsec transform-set <transform-set-name>
|
Command |
Description |
|---|---|
|
transform-set-name |
Specifies the name of the transform set to create (or modify). |
|
transform |
Specifies two "transforms". These transforms define the IPSec security protocols and algorithms. Accepted transform values are described in the "transform table". |
|
Transform Type |
Transform |
Description |
|---|---|---|
|
ESP Encryption Transform
|
esp-3des |
Defines ESP with the 168-bit DES encryption algorithm (3DES or Triple DES). |
|
esp-aes |
Defines ESP with the 128-bit AES encryption algorithm. |
|
|
esp-null |
Defines null encryption algorithm. |
|
|
esp-gcm [128|192|256] |
Defines ESP with 128, 192, or 256 bit AES encryption algorithm using the Galois Counter Mode (GCM) cipher (AES-GCM). |
|
|
ESP Authentication Transform |
esp-md5-hmac |
Defines ESP with the MD5 (HMAC variant) authentication algorithm. |
|
esp-sha-hmac |
Defines ESP with the SHA (HMAC variant) authentication algorithm. |
|
|
esp-sha256-hmac |
Defines ESP with the SHA-256 (HMAC variant) authentication algorithm. |
|
|
esp-sha384-hmac |
Defines ESP with the SHA-384 (HMAC variant) authentication algorithm. |
|
|
esp-sha512-hmac |
Defines ESP with the SHA-512 (HMAC variant) authentication algorithm. |
|
|
AH Transform
|
ah-md5-hmac |
Defines AH with the MD5 (HMAC variant) authentication algorithm. |
|
ah-sha-hmac |
Defines AH with the SHA (HMAC variant) authentication algorithm. |
|
|
ah-sha256-hmac |
Defines AH with the SHA-256 (HMAC variant) authentication algorithm. |
|
|
ah-sha384-hmac |
Defines AH with the SHA-384 (HMAC variant) authentication algorithm. |
|
|
ah-sha512-hmac |
Defines AH with the SHA-512 (HMAC variant) authentication algorithm. |
This command puts you into the cfg-crypto-trans command mode
(cfg-crypto-trans)# mode <encapsulation-type>
|
Command |
Description |
|---|---|
|
encapsulation-type |
Specifies the mode for a transform set: either tunnel or transport mode. If neither tunnel nor transport is specified, the default (tunnel mode) is assigned. |
Default
This command has no defaults.
Command Mode
crypto ipsec transform-set are defined in enabled configuration mode.
Example
This example demonstrates how to configure a transform set:
(config data)# crypto ipsec transform-set abc esp-3des esp-sha-hmac