cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13808
Views
25
Helpful
4
Replies
Highlighted
Beginner

Transform sets vs. IKE policy attributes

Forum

I wanted to get some insight on the difference between Transform sets being used in IPSEC tunnels vs. the IKE policies themselves.

It gets a bit confusing trying to keep both separate in understanding, especially since the transform sets seem to use some of the same values that the IKE policies do.

Here is an example of what I am talking about:

Lets say I create the following IKE policy:

Lifetime 86400

Hash SHA1

Encryption: 3DES

Authentication: Preshare

Group : 2

Then on to the Transform set:  crypto IPsec transform set MYSET  esp-3DES esp-MD5-hmac

 

My questions are these:

1.  what is the transform set transforming specifically?

2.  Is it correct to say that the Transfrom set, in addition to the IKE policy, uses 3DES encryption.

3.  What are the differences between the transform set and the IKE policy?

 

Thank You

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Hello Kevin, Basically there

Hello Kevin,

 

Basically there is phase 1 and phase 2:

Phase 1 creates the first tunnel and it will use the crypto isakmp policy to build it, it will be based on the Pre shared key and the ISAKMP policy

 

* Phase 1 can be verified by the show command --> show crypto isakmp sa

 

* Phase 2 will be the second tunnel which will transport the traffic encrypted based on the transform set. You can verify it by --> Show crypto ipsec sa

 

------------------------------------------------------------------------------

Regarding Transform Sets:

A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IP Security protected traffic,  During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow

 

Selecting Appropriate Transforms

 

The following tips may help you select transforms that are appropriate for your situation:

 

If you want to provide data confidentiality, include an ESP encryption transform.

 

If you want to ensure data authentication for the outer IP header as well as the data, include an AH transform. (Some consider the benefits of outer IP header data integrity to be debatable.)

 

If you use an ESP encryption transform, also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set.

 

If you want data authentication (either using ESP or AH) you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5, but is slower.

 

Note that some transforms might not be supported by the IPSec peer.

 

In cases where you need to specify an encryption transform but do not actually encrypt packets, you can use the esp-null transform.

 

Suggested transform combinations:

 

esp-des and esp-sha-hmac

 

ah-sha-hmac and esp-des and esp-sha-hmac

 

Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data.

 

crypto isakmp policy Table You can see it on that link

 

 

- http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/ike.html#wp1060317

 

 

Please don't forget to rate and mark as correct the helpful Post!

 

Regards,

 

David Castro

View solution in original post

4 REPLIES 4

Hello Kevin, Basically there

Hello Kevin,

 

Basically there is phase 1 and phase 2:

Phase 1 creates the first tunnel and it will use the crypto isakmp policy to build it, it will be based on the Pre shared key and the ISAKMP policy

 

* Phase 1 can be verified by the show command --> show crypto isakmp sa

 

* Phase 2 will be the second tunnel which will transport the traffic encrypted based on the transform set. You can verify it by --> Show crypto ipsec sa

 

------------------------------------------------------------------------------

Regarding Transform Sets:

A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IP Security protected traffic,  During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow

 

Selecting Appropriate Transforms

 

The following tips may help you select transforms that are appropriate for your situation:

 

If you want to provide data confidentiality, include an ESP encryption transform.

 

If you want to ensure data authentication for the outer IP header as well as the data, include an AH transform. (Some consider the benefits of outer IP header data integrity to be debatable.)

 

If you use an ESP encryption transform, also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set.

 

If you want data authentication (either using ESP or AH) you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5, but is slower.

 

Note that some transforms might not be supported by the IPSec peer.

 

In cases where you need to specify an encryption transform but do not actually encrypt packets, you can use the esp-null transform.

 

Suggested transform combinations:

 

esp-des and esp-sha-hmac

 

ah-sha-hmac and esp-des and esp-sha-hmac

 

Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data.

 

crypto isakmp policy Table You can see it on that link

 

 

- http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/ike.html#wp1060317

 

 

Please don't forget to rate and mark as correct the helpful Post!

 

Regards,

 

David Castro

View solution in original post

Cisco Employee

As David mentioned, Transform

As David mentioned, Transform-set (going by the terminology), defines the attributes going to be used by the IPSEC SA to secure the data (encryption, authentication and integrity). The ISAKMP proposals define the attribute to be used by the ISAKMP SA in phase 1 to secure the negotiation of the IPSEC SA.

Beginner

great follow up thank you

great follow up thank you

Beginner

thank you for the info!!!!

thank you for the info!!!!