Step 3-1 Configure Transform Set Suites
In Chapter 9, an IPSec transform was defined as a single IPSec
security protocol—AH or ESP—with its associated security algorithms and mode.
Technically, a transform is the list of operations done on
a dataflow to provide data authentication, data confidentiality, and since IOS
v12.2(8) data compression. Some of the supported transform choices are shown in
Figure
10-3.
The actual transforms supported might vary by device type. VPN
devices could support a slightly different group than the PIX Firewall. The
following are transforms supported by the IOS-based devices:
AH Transforms—Pick up to one:
ESP Encryption Transforms—Pick up to one:
ESP Authentication Transform—pick up to one, but only if you also
selected the esp-des or esp-3des transform (not esp-rfc1829):
IP Compression Transform—pick up to one:
The compression algorithm used in the comp-lzs transform is Lempel-Ziv-Stac (LZS) compression, the
most widely accepted lossless compression algorithm at this time. Compression is
implemented on Layer 3, like hardware encryption, and can considerably reduce
bandwidth requirements to support IP Security (IPSec).
Transform Sets
A transform set is a combination of up
to three individual IPSec transforms designed to implement a specific security
policy to protect a particular data- flow. The transform sets represent the
security choices available during IPSec SA negotiation between two IPSec peers
in IKE Phase 2 quick mode. The following are two examples of transform sets:
-
ah-sha-hmac and esp-des and esp-sha-hmac
AH protocol with SHA-1 authentication, ESP DES encryption, plus ESP SHA-1
authentication.
-
esp-3des and esp-md5-hmac ESP protocol
with DES encryption, plus ESP MD5 authentication.
The IKE Phase 2 quick mode operates much like the Phase 1
negotiation. The initiator sends one or more transform sets to the destination
peer. The destination peer compares them in order against its own preferred
transform sets. If a match is found, the destination peer returns the transform
to the initiator peer to complete the “negotiation.” The peers must share a
common transform set or the exchange can’t occur. If the peers can’t agree on a
transform set, this means one or the other will need to configure a matching set
of policies.
Transform sets are limited to three transforms with no more than
one AH transform, plus no more than two ESP transforms. Transform sets combine
the following IPSec features:
-
Payload authentication, example: AH transform
-
Payload encryption, example: ESP transform
-
IPSec mode (transport or tunnel)
You can define multiple transform sets, and then specify one or
more of these sets using a crypto map entry. Use the global crypto
ipsec transform-set command to define a transform set. Use the no form of
the command to delete a transform set. The command syntax is as follows:
Rtr1(config)#crypto ipsec transform-set transform-set-name trans1 [trans2 [trans3]]
Rtr1(config)#no crypto ipsec transform-set transform-set-name
The command invokes the Crypto-Transform Configuration mode that
can be used to define up to four transform sets. Use the exit
command to end the configuration. Once defined, the transform sets can be
specified in a crypto map entry. The following example shows the creation of
four transform sets:
Rtr1#conf t
Rtr1(config)#crypto ipsec transform-set MD5-DES esp-md5-hmac esp-des
Rtr1(cfg-crypto-trans)#crypto ipsec transform-set DES-ONLY esp-des
Rtr1(cfg-crypto-trans)#crypto ipsec transform-set AH-ONLY ah-sha-hmac
Rtr1(cfg-crypto-trans)#crypto ipsec transform-set CPU-HOG ah-md5-hmac
esp-md5-hmac esp-des
Rtr1(cfg-crypto-trans)#exit
Rtr1(config)#
When IKE isn’t being used to establish SAs, a single
transform set must be configured and the transform set isn’t
negotiated.
Sections
Comments (0 posted)
Syndication
