• In part 1 I laid out the general configuration that I will be disusing through this series of posts. Part 1
  • In Part 2 I discussed ISAKMP polices.
  • Part 3 will be a shorter one about Transform-sets


Transform-sets are the ciphers that will be used in the actual Data encryption and authentication.

Right now this is what we are using, both DES and MD5 are considered to be very weak so we will want to change that.

crypto ipsec transform-set myset esp-des esp-md5-hmac

so lets look at what Is available. Cisco has a nice table on the available ciphers.

Ref: Cisco.com

Transform Type Transform Description
AH Transform (Pick only one.) ah-md5-hmac AH with the MD5 (Message Digest 5) (an HMAC variant) authentication algorithm. (No longer recommened).
  ah-sha-hmac AH with the SHA (Secure Hash Algorithm) (an HMAC variant) authentication algorithm.
ESP Encryption Transform (Pick only one.) esp-aes ESP with the 128-bit Advanced Encryption Standard (AES) encryption algorithm.
  esp-gmac The esp-gcm and esp-gmac transforms are ESPs with either a 128-bit or a 256-bit encryption algorithm. The default for either of these transforms is 128 bits. Both esp-gcm and esp-gmac transforms cannot be configured together with any other ESP transform within the same crypto IPsec transform set using the crypto ipsec transform-set command.
  esp-aes 192 ESP with the 192-bit AES encryption algorithm.
  esp-aes 256 ESP with the 256-bit AES encryption algorithm.
  esp-des ESP with the 56-bit Data Encryption Standard (DES) encryption algorithm. (No longer recommended).
  esp-3des ESP with the 168-bit DES encryption algorithm (3DES or Triple DES). (No longer recommended).
  esp-null Null encryption algorithm.
  esp-seal ESP with the 160-bit SEAL encryption algorithm.
ESP Authentication Transform (Pick only one.) esp-md5-hma ESP with the MD5 (HMAC variant) authentication algorithm. (No longer recommended).
  esp-sha-hmac ESP with the SHA (HMAC variant) authentication algorithm.
IP Compression Transform comp-lzs IP compression with the Lempel-Ziv-Stac (LZS) algorithm

Lets take one moment to discus AH vs ESP.

  • AH is authentication only. This authenticates that the traffic came from the remote router and has not been modified in transit. But does not protect it from any attacker seeing your traffic in transit.
  • ESP encrypts and authenticates the traffic any is probably what you are looking for.

Comp-lzs is also an option on low speed links but your mileage will verify depending on your router and traffic.

As with before we will be going with the highest supported cipers.

crypto ipsec transform-set myset esp-sha-hmac esp-aes 256

In this case we selected esp-sha-hmac for our authentication and esp-aes 256 for encryption. (note you can find some recommendations from Cisco here on what ciphers you should use. but this was last updated in 2014.)

This is also where you would set transport mode or tunnel mode. I will discus this in a later post.

After making this change on both routers we can verify the ciphers in use with.

RouterB#show crypto ipsec transform-set
Transform set myset: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },