Creating an ikev1 transform set, Creating an ikev1 transform set” section on – Cisco ASA 5505 User Manual
Page 1581
73-5
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 73 Configuring LAN-to-LAN IPsec VPNs
Creating an IKEv1 Transform Set
Perform the following steps and use the command syntax in the following examples as a guide:
Step 1
Enter IPsec IKEv2 policy configuration mode. For example:
hostname(config)# crypto ikev2 policy 1
hostname(config-ikev2-policy)#
Step 2
Set the encryption method. The following example configures 3DES:
hostname(config-ikev2-policy)# encryption 3des
hostname(config-ikev2-policy)#
Step 3
Set the Diffie-Hellman group. The following example configures Group 2:
hostname(config-ikev2-policy)# group 2
hostname(config-ikev2-policy)#
Step 4
Set the pseudo-random function (PRF) used as the algorithm to derive keying material and hashing
operations required for the IKEv2 tunnel encryption. The following example configures SHA-1 (an
HMAC variant):
hostname(config-ikev12-policy)# prf sha
hostname(config-ikev2-policy)#
Step 5
Set the encryption key lifetime. The following example configures 43,200 seconds (12 hours):
hostname(config-ikev2-policy)# lifetime 43200
hostname(config-ikev2-policy)#
Step 6
Enable IKEv2 on the interface named outside:
hostname(config)# crypto ikev2 enable outside
hostname(config)#
Step 7
To save your changes, enter the write memory command:
hostname(config)# write memory
hostname(config)#
Creating an IKEv1 Transform Set
An IKEv1 transform set combines an encryption method and an authentication method. During the IPsec
security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect
a particular data flow. The transform set must be the same for both peers.
A transform set protects the data flows for the access list specified in the associated crypto map entry.
You can create transform sets in the ASA configuration, and then specify a maximum of 11 of them in
a crypto map or dynamic crypto map entry.
lists valid encryption and authentication methods.
Table 73-1
Valid Encryption and Authentication Methods
Valid Encryption Methods
Valid Authentication Methods
esp-des esp-md5-hmac
esp-3des (default)
esp-sha-hmac (default)
esp-aes (128-bit encryption)
esp-aes-192