Configuring transform-sets
About this task
A transform-set defines the IKE phase 2 parameters. It specifies the encryption and
authentication algorithms to be used, sets a security association lifetime, and specifies whether
PFS is enabled and which DH group it uses. In addition, it specifies the IPSec VPN mode
(tunnel or transport).
Note:
You can define up to 40 transform-sets.
Important:
Define at least one transform-set.
Procedure
1. Use the crypto ipsec transform-set command to enter the context of a
transform-set (and to create the transform-set if it does not exist).
The command variables include:
• The name of the transform-set
• The encryption algorithm used by the transform-set. Possible values are esp-
des, esp-3des, esp-aes, esp-aes-192, esp-aes-256 and esp-null (no
encryption).
• The authentication algorithm used by the transform-set. Possible values are
esp-md5-hmac and esp-sha-hmac.
• The IP compression algorithm used by the transform-set. The only possible
value is comp-lzs.
For example:
Gxxx-001# crypto ipsec transform-set ts1 esp-3des esp-md5-hmac comp-lzs
Gxxx-001(config-transform:ts1)#
2. You can use the following commands to set the parameters of the transform-set:
• Use the set pfs command to specify whether each IKE phase 2 negotiation
employs Perfect Forward Secrecy (PFS), and if yes, which Diffie-Hellman
group to employ. PFS ensures that even if someone were to discover the long-
term secret(s), the attacker would not be able to recover the session keys, both
past and present. In addition, the discovery of a session key compromises
neither the long-term secrets nor the other session keys. The default setting
is no set pfs.
• Use the set security-association lifetime seconds command to
set the security association lifetime in seconds.
• Use the set security-association lifetime kilobytes command
to set the security association lifetime in kilobytes.
IPSec VPN
488 Administering Avaya G430 Branch Gateway October 2013
Comments? infodev@avaya.com
To Next Page
Loading...
