I have not seen a specific limit on the number of transform sets that you can define for a particular VPN Tunnel.
At the same time, I have not come across a lot of configurations were you have multiple transform sets for the same peer. Since the transrom sets have to match for the IPSEC Tunnel to come up, most of the configuration have one transform set defined that matches on both the VPN Servers.
I tried configuring ten transfrom sets on a Pix firewall and did not have any issues with it. And I assume this should be the case for the routers as well.
Some info on transform sets:
A transform set represents a certain combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow.
You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry will be used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list.
During IPSec security association negotiations with IKE, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peers' IPSec security associations. With manually established security associations, there is no negotiation with the peer, so both sides have to specify the same transform set.
you have to know that all TS1 TS2 TS3 can be used at the same time to provide CIA , cryptography, integrety,authentication,each one can provide a different role for the traffic to protect may be ts1=esp-des cryptography using algorithm des, ts2=esp-md5 for authentication using md5...
so all the three algorithm TS1 TS2 TS3 in the transform-set TEST must match all the algorithms in the transform-set TEST-OTHER-PEER to be chosen for securing the traffic,
so you can create many transform-set TEST1 TEST2..., and you can specify more than one in your crypto map entries and the one that is the same for both peers will be used for the CIA purpose.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...