The transform set is not negotiated, and the IPsec transform set must be
con?¬?gured in tunnel mode only.
Step 5: Create an IPsec Pro?¬?le
CAUTION: Static VTIs support only a single IPsec SA that is attached to the VTI
interface. The traf?¬?c selector for the IPsec SA is always "IP any any".
Winnipeg(config)#crypto ipsec transform-set
TRANSFORM-1 esp-aes 256 esp-sha-hmac ah-shahmac
Speci?¬?es the IPsec
security protocol (AH or
ESP) and the algorithm
you want to use
Winnipeg(cfg-crypto-trans)#exit Returns to global
con?¬?guration mode
Winnipeg(config)# NOTE: All IPsec
transform settings are
not offered on all cryptocapable
IOS images.
Con?¬?gure the settings
supported by your IOS
image.
Edmonton(config)#crypto ipsec transform-set
TRANSFORM-1 esp-aes 256 esp-sha-hmac ah-shahmac
Speci?¬?es the IPsec
security protocol (AH or
ESP) and the algorithm
you want to use
Edmonton(cfg-crypto-trans)#exit Returns to global
con?¬?guration mode
Edmonton(config)#
Con?¬?guring a Static IPsec Virtual Tunnel Interface 55
Step 6: Create the IPsec Virtual Tunnel Interface
Winnipeg(config)#crypto ipsec profile
PROFILE-1
Creates the Winnipeg
IPsec pro?¬?le PROFILE-1
Winnipeg(ipsec-profile)#set transform-set
TRANSFORM-1
Links the transform
TRANSFORM-1 to the
pro?¬?le PROFILE-1
NOTE: There are no
match clauses in an
IPsec pro?¬?le, only set
statements.
Pages:
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62