Cisco ASR 1004 - Page 32

Crypto map entries also include transform sets. A transform set is an acceptable combination of

security protocols, algorithms, and other settings that can be applied to IPsec-protected traffic.

During the IPsec SA negotiation, the peers agree to use a particular transform set when

protecting a particular data flow.

An Internet Key Exchange version 1 (IKEv1) transform set represents a certain combination of

security protocols and algorithms. During the IPsec SA negotiation, the peers agree to use a

Privileged administrators can specify multiple transform sets and then specify one or more of

these transform sets in a crypto map entry. The transform set defined in the crypto map entry is

used in the IPsec SA negotiation to protect the data flows specified by that crypto map entry's

access list.

During IPsec security association negotiations with IKE, peers search for a transform set that is

the same at both peers. When such a transform set is found, it is selected and applied to the

protected traffic as part of both peers' IPsec SAs. (With manually established SAs, there is no

negotiation with the peer, so both sides must specify the same transform set.)

existing security associations, but is used in subsequent negotiations to establish new SAs. If you

want the new settings to take effect sooner, you can clear all or part of the SA database by using

This configures IPsec IKEv1 to use AES-CBC-128 for payload encryption. AES-

CBC-256 can be selected with ‘encryption aes 256’.

greater than or equal to the keysize selected for ESP in Section 4.6.2 below. If

AES 128 is selected here, then the highest keysize that can be selected on the TOE

for ESP is AES 128 (either CBC or GCM).

encryption aes commands respectively. As a result, confidentiality-only mode is

disabled.