Cisco ISR 4000 Family Routers Administrator Guidance
Page 31 of 66
Crypto map entries also include transform sets. A transform set is an acceptable combination of
security protocols, algorithms, and other settings that can be applied to IPsec-protected traffic.
During the IPsec SA negotiation, the peers agree to use a particular transform set when protecting
a particular data flow.
4.6.1.1 IKEv1 Transform Sets
An Internet Key Exchange version 1 (IKEv1) transform set represents a certain combination of
security protocols and algorithms. During the IPsec SA negotiation, the peers agree to use a
particular transform set for protecting a particular data flow.
Privileged administrators can specify multiple transform sets and then specify one or more of these
transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in
the IPsec SA negotiation to protect the data flows specified by that crypto map entry's access list.
During IPsec security association negotiations with IKE, peers search for a transform set that is
the same at both peers. When such a transform set is found, it is selected and applied to the
protected traffic as part of both peers' IPsec SAs. (With manually established SAs, there is no
negotiation with the peer, so both sides must specify the same transform set.)
Note: If a transform set definition is changed during operation that the change is not applied to
existing security associations, but is used in subsequent negotiations to establish new SAs. If you
want the new settings to take effect sooner, you can clear all or part of the SA database by using
the clear crypto sa command.
The following settings must be set in configuring the IPsec with IKEv1 functionality for the
TOE:
TOE-common-criteria # conf t
TOE-common-criteria (config)#crypto isakmp policy 1
TOE-common-criteria (config-isakmp)# hash sha
Note: md5 is not to be used in the evaluated configuration.
TOE-common-criteria (config-isakmp)# encryption aes
This configures IPsec IKEv1 to use AES-CBC-128 for payload encryption. AES-
CBC-256 can be selected with ‘encryption aes 256’. These are the only allowed
ciphers in the evaluated configuration, and the other, less secure ciphers, are not to
be used.
Note: the authorized administrator must ensure that the keysize for this setting is
greater than or equal to the keysize selected for ESP in Section 4.6.2 below. If AES
128 is selected here, then the highest keysize that can be selected on the TOE for
ESP is AES 128.
Note: Both confidentiality and integrity are configured with the hash sha and
encryption aes commands respectively. As a result, confidentiality-only mode is
disabled.
TOE-common-criteria (config-isakmp)# authentication pre-share
To Next Page
Loading...
Need help?
General
