Page 32 of 72
Crypto map entries also include transform sets. A transform set is an acceptable combination of
security protocols, algorithms, and other settings that can be applied to IPsec-protected traffic.
During the IPsec SA negotiation, the peers agree to use a particular transform set when
protecting a particular data flow.
4.6.1.1 IKEv1 Transform Sets
An Internet Key Exchange version 1 (IKEv1) transform set represents a certain combination of
security protocols and algorithms. During the IPsec SA negotiation, the peers agree to use a
particular transform set for protecting a particular data flow.
Privileged administrators can specify multiple transform sets and then specify one or more of
these transform sets in a crypto map entry. The transform set defined in the crypto map entry is
used in the IPsec SA negotiation to protect the data flows specified by that crypto map entry's
access list.
During IPsec security association negotiations with IKE, peers search for a transform set that is
the same at both peers. When such a transform set is found, it is selected and applied to the
protected traffic as part of both peers' IPsec SAs. (With manually established SAs, there is no
negotiation with the peer, so both sides must specify the same transform set.)
Note: If a transform set definition is changed during operation that the change is not applied to
existing security associations, but is used in subsequent negotiations to establish new SAs. If you
want the new settings to take effect sooner, you can clear all or part of the SA database by using
the clear crypto sa command.
The following settings must be set in configuring the IPsec with IKEv1 functionality for the
TOE:
TOE-common-criteria # conf t
TOE-common-criteria (config)#crypto isakmp policy 1
TOE-common-criteria (config-isakmp)# hash sha
TOE-common-criteria (config-isakmp)# encryption aes
This configures IPsec IKEv1 to use AES-CBC-128 for payload encryption. AES-
CBC-256 can be selected with āencryption aes 256ā.
Note: the authorized administrator must ensure that the keysize for this setting is
greater than or equal to the keysize selected for ESP in Section 4.6.2 below. If
AES 128 is selected here, then the highest keysize that can be selected on the TOE
for ESP is AES 128 (either CBC or GCM).
Note: Both confidentiality and integrity are configured with the hash sha and
encryption aes commands respectively. As a result, confidentiality-only mode is
disabled.
TOE-common-criteria (config-isakmp)# authentication pre-share
This configures IPsec to use pre-shared keys. X.509 v3 certificates are also
supported for authentication of IPsec peers. See Section 4.6.3 below for additional
information.
To Next Page
Loading...
Need help?
General
