Solved: Re: Regarding selection of a transform set during security association

shikharverma201 · ‎08-27-2020

How to choose a transform set used by a device during the security associations process? On what parameter, a device chooses a transform set from a list of transform sets??

Rob Ingram · ‎08-27-2020

All algorithms must match (encryption and hashing/integrity) in order to establish a tunnel.

The device initiating the tunnel will send it's supported algorithms to the peer, which will then attempt to find a match, starting with the highest priority first until a match is found and the tunnel is built.

View solution in original post

Rob Ingram · ‎08-27-2020

Hi,

If you specify a transform set with multiple algorithms, the router/firewall will attempt to negotiate will the peer router/firewall in order of priority (highest priority first) until they mutual agree upon a algorithm both peers support.

HTH

shikharverma201 · ‎08-27-2020

Hi! Thanks for such quick answers. However, I have still doubt about "what parameter or condition decides the mutual agreement and who decide on which priority level peers should agree? Is it automatic or administrators define fixed transform sets for both peers?

Rob Ingram · ‎08-27-2020

All algorithms must match (encryption and hashing/integrity) in order to establish a tunnel.

The device initiating the tunnel will send it's supported algorithms to the peer, which will then attempt to find a match, starting with the highest priority first until a match is found and the tunnel is built.

shikharverma201 · ‎08-27-2020

@Rob Ingram Thank you very much for the clarification. It got my doubts clear. Thanks again.