transfrom set

Unanswered Question
ajagadee Fri, 09/29/2006 - 14:25
User Badges:
  • Cisco Employee,


I have not seen a specific limit on the number of transform sets that you can define for a particular VPN Tunnel.

At the same time, I have not come across a lot of configurations were you have multiple transform sets for the same peer. Since the transrom sets have to match for the IPSEC Tunnel to come up, most of the configuration have one transform set defined that matches on both the VPN Servers.

I tried configuring ten transfrom sets on a Pix firewall and did not have any issues with it. And I assume this should be the case for the routers as well.

Some info on transform sets:

A transform set represents a certain combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow.

You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry will be used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list.

During IPSec security association negotiations with IKE, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peers' IPSec security associations. With manually established security associations, there is no negotiation with the peer, so both sides have to specify the same transform set.


Let me know if it helps.



agyey_cisco Thu, 01/04/2007 - 11:13
User Badges:


Incase there is more than one Transform Set specified under the crypto map entries on both peers


The 2 Transform Sets match on both peers,

then what is the expected behaviour?

Thanks in Advance

kamal-learn Thu, 01/04/2007 - 14:29
User Badges:
  • Bronze, 100 points or more


i added to the latest posts the following , i think you are wondering about the number of algorithms allowed in a transform-set yes indeed no more than three 3.

transform-set TEST algorithm1 algorithm2 algorithm3.

for the number of transform-set i have nothing to add all is clear in the other post.


Do rate if it does help

agyey_cisco Fri, 01/05/2007 - 08:39
User Badges:


Thanks for the response.

However my question is different.


"transform-set TEST TS1 TS2 TS3"

where TS1, TS2 and TS3 match on both peers, then

A. Are all the 3 algorithms applied or is only the first matching algotithm (i.e TS1) applied on the data to be secured?

B. If all the 3 algorithms/TS are selected, then what is the procedure in which they are applied to the data to be secured?

Thanks in Advance

kamal-learn Fri, 01/05/2007 - 19:57
User Badges:
  • Bronze, 100 points or more


your A and B questions :

you have to know that all TS1 TS2 TS3 can be used at the same time to provide CIA , cryptography, integrety,authentication,each one can provide a different role for the traffic to protect may be ts1=esp-des cryptography using algorithm des, ts2=esp-md5 for authentication using md5...

so all the three algorithm TS1 TS2 TS3 in the transform-set TEST must match all the algorithms in the transform-set TEST-OTHER-PEER to be chosen for securing the traffic,

so you can create many transform-set TEST1 TEST2..., and you can specify more than one in your crypto map entries and the one that is the same for both peers will be used for the CIA purpose.


do rate if it does help


This Discussion