Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

transfrom set

how many transform sets are allowed 2 or 3?

Cisco Employee

Re: transfrom set


I have not seen a specific limit on the number of transform sets that you can define for a particular VPN Tunnel.

At the same time, I have not come across a lot of configurations were you have multiple transform sets for the same peer. Since the transrom sets have to match for the IPSEC Tunnel to come up, most of the configuration have one transform set defined that matches on both the VPN Servers.

I tried configuring ten transfrom sets on a Pix firewall and did not have any issues with it. And I assume this should be the case for the routers as well.

Some info on transform sets:

A transform set represents a certain combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow.

You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry will be used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list.

During IPSec security association negotiations with IKE, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peers' IPSec security associations. With manually established security associations, there is no negotiation with the peer, so both sides have to specify the same transform set.


Let me know if it helps.



Community Member

Re: transfrom set


Incase there is more than one Transform Set specified under the crypto map entries on both peers


The 2 Transform Sets match on both peers,

then what is the expected behaviour?

Thanks in Advance


Re: transfrom set


i added to the latest posts the following , i think you are wondering about the number of algorithms allowed in a transform-set yes indeed no more than three 3.

transform-set TEST algorithm1 algorithm2 algorithm3.

for the number of transform-set i have nothing to add all is clear in the other post.


Do rate if it does help

Community Member

Re: transfrom set


Thanks for the response.

However my question is different.


"transform-set TEST TS1 TS2 TS3"

where TS1, TS2 and TS3 match on both peers, then

A. Are all the 3 algorithms applied or is only the first matching algotithm (i.e TS1) applied on the data to be secured?

B. If all the 3 algorithms/TS are selected, then what is the procedure in which they are applied to the data to be secured?

Thanks in Advance


Re: transfrom set


your A and B questions :

you have to know that all TS1 TS2 TS3 can be used at the same time to provide CIA , cryptography, integrety,authentication,each one can provide a different role for the traffic to protect may be ts1=esp-des cryptography using algorithm des, ts2=esp-md5 for authentication using md5...

so all the three algorithm TS1 TS2 TS3 in the transform-set TEST must match all the algorithms in the transform-set TEST-OTHER-PEER to be chosen for securing the traffic,

so you can create many transform-set TEST1 TEST2..., and you can specify more than one in your crypto map entries and the one that is the same for both peers will be used for the CIA purpose.


do rate if it does help

CreatePlease to create content