02-20-2015 08:19 AM
Forum
I wanted to get some insight on the difference between Transform sets being used in IPSEC tunnels vs. the IKE policies themselves.
It gets a bit confusing trying to keep both separate in understanding, especially since the transform sets seem to use some of the same values that the IKE policies do.
Here is an example of what I am talking about:
Lets say I create the following IKE policy:
Lifetime 86400
Hash SHA1
Encryption: 3DES
Authentication: Preshare
Group : 2
Then on to the Transform set: crypto IPsec transform set MYSET esp-3DES esp-MD5-hmac
My questions are these:
1. what is the transform set transforming specifically?
2. Is it correct to say that the Transfrom set, in addition to the IKE policy, uses 3DES encryption.
3. What are the differences between the transform set and the IKE policy?
Thank You
Solved! Go to Solution.
02-20-2015 04:15 PM
Hello Kevin,
Basically there is phase 1 and phase 2:
Phase 1 creates the first tunnel and it will use the crypto isakmp policy to build it, it will be based on the Pre shared key and the ISAKMP policy
* Phase 1 can be verified by the show command --> show crypto isakmp sa
* Phase 2 will be the second tunnel which will transport the traffic encrypted based on the transform set. You can verify it by --> Show crypto ipsec sa
------------------------------------------------------------------------------
Regarding Transform Sets:
A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IP Security protected traffic, During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow
Selecting Appropriate Transforms
The following tips may help you select transforms that are appropriate for your situation:
•If you want to provide data confidentiality, include an ESP encryption transform.
•If you want to ensure data authentication for the outer IP header as well as the data, include an AH transform. (Some consider the benefits of outer IP header data integrity to be debatable.)
•If you use an ESP encryption transform, also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set.
•If you want data authentication (either using ESP or AH) you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5, but is slower.
•Note that some transforms might not be supported by the IPSec peer.
•In cases where you need to specify an encryption transform but do not actually encrypt packets, you can use the esp-null transform.
Suggested transform combinations:
•esp-des and esp-sha-hmac
•ah-sha-hmac and esp-des and esp-sha-hmac
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data.
crypto isakmp policy Table You can see it on that link
- http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/ike.html#wp1060317
Please don't forget to rate and mark as correct the helpful Post!
Regards,
David Castro
02-20-2015 04:15 PM
Hello Kevin,
Basically there is phase 1 and phase 2:
Phase 1 creates the first tunnel and it will use the crypto isakmp policy to build it, it will be based on the Pre shared key and the ISAKMP policy
* Phase 1 can be verified by the show command --> show crypto isakmp sa
* Phase 2 will be the second tunnel which will transport the traffic encrypted based on the transform set. You can verify it by --> Show crypto ipsec sa
------------------------------------------------------------------------------
Regarding Transform Sets:
A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IP Security protected traffic, During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow
Selecting Appropriate Transforms
The following tips may help you select transforms that are appropriate for your situation:
•If you want to provide data confidentiality, include an ESP encryption transform.
•If you want to ensure data authentication for the outer IP header as well as the data, include an AH transform. (Some consider the benefits of outer IP header data integrity to be debatable.)
•If you use an ESP encryption transform, also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set.
•If you want data authentication (either using ESP or AH) you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5, but is slower.
•Note that some transforms might not be supported by the IPSec peer.
•In cases where you need to specify an encryption transform but do not actually encrypt packets, you can use the esp-null transform.
Suggested transform combinations:
•esp-des and esp-sha-hmac
•ah-sha-hmac and esp-des and esp-sha-hmac
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data.
crypto isakmp policy Table You can see it on that link
- http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/ike.html#wp1060317
Please don't forget to rate and mark as correct the helpful Post!
Regards,
David Castro
02-20-2015 06:38 PM
As David mentioned, Transform-set (going by the terminology), defines the attributes going to be used by the IPSEC SA to secure the data (encryption, authentication and integrity). The ISAKMP proposals define the attribute to be used by the ISAKMP SA in phase 1 to secure the negotiation of the IPSEC SA.
03-28-2017 07:47 PM
great follow up thank you
03-28-2017 07:47 PM
thank you for the info!!!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: