Configuring transform-sets
About this task
A transform-set defines the IKE phase 2 parameters. It specifies the encryption and
authentication algorithms to be used, sets a security association lifetime, and specifies whether
PFS is enabled and which DH group it uses. In addition, it specifies the IPSec VPN mode
(tunnel or transport).
Note:
You can define up to 40 transform-sets.
Important:
Define at least one transform-set.
Procedure
1. Use the
crypto ipsec transform-set
command to enter the context of a
transform-set (and to create the transform-set if it does not exist).
The command variables include:
• The name of the transform-set
• The encryption algorithm used by the transform-set. Possible values are esp-
des, esp-3des, esp-aes, esp-aes-192, esp-aes-256 and esp-null (no
encryption).
• The authentication algorithm used by the transform-set. Possible values are
esp-md5-hmac and esp-sha-hmac.
• The IP compression algorithm used by the transform-set. The only possible
value is comp-lzs.
For example:
Gxxx-001# crypto ipsec transform-set ts1 esp-3des esp-md5-hmac comp-lzs
Gxxx-001(config-transform:ts1)#
2. You can use the following commands to set the parameters of the transform-set:
• Use the
set pfs
command to specify whether each IKE phase 2 negotiation
employs Perfect Forward Secrecy (PFS), and if yes, which Diffie-Hellman
group to employ. PFS ensures that even if someone were to discover the long-
term secret(s), the attacker would not be able to recover the session keys, both
past and present. In addition, the discovery of a session key compromises
neither the long-term secrets nor the other session keys. The default setting
is
no set pfs
.
• Use the
set security-association lifetime seconds
command to
set the security association lifetime in seconds.
• Use the
set security-association lifetime kilobytes
command
to set the security association lifetime in kilobytes.
IPSec VPN
488 Administering Avaya G430 Branch Gateway
October 2013
Summary of Contents for G430
Page 1: ...Administering Avaya G430 Branch Gateway Release 6 3 03 603228 Issue 5 October 2013 ...
Page 12: ...12 Administering Avaya G430 Branch Gateway October 2013 ...
Page 246: ...VoIP QoS 246 Administering Avaya G430 Branch Gateway October 2013 Comments infodev avaya com ...
Page 556: ...IPSec VPN 556 Administering Avaya G430 Branch Gateway October 2013 Comments infodev avaya com ...