crypto ipsec transform-set [name] esp-aes esp-sha-hmac
Defines an IPsec transform set specifying the encryption and authentication algorithms to protect VPN traffic, used when configuring an IPsec VPN policy.
crypto ipsec transform-set [name] esp-aes esp-sha-hmacWhen to Use This Command
- Setting up a site-to-site VPN between two branch offices using AES encryption and SHA-HMAC authentication.
- Configuring a remote-access VPN for mobile workers with strong encryption (ESP-AES) and integrity checking (ESP-SHA-HMAC).
- Creating multiple transform sets for different security levels (e.g., one for internal traffic, another for partner connections).
- Upgrading an existing VPN from DES to AES for better security compliance.
Command Examples
Basic transform set with AES-128 and SHA-HMAC
crypto ipsec transform-set MYSET esp-aes esp-sha-hmaccrypto ipsec transform-set MYSET esp-aes esp-sha-hmac mode tunnel
The command creates a transform set named MYSET using AES encryption (128-bit key) and SHA-HMAC authentication. The output confirms the transform set and shows default mode (tunnel).
Transform set with AES-256 and SHA-HMAC in transport mode
crypto ipsec transform-set STRONG esp-aes 256 esp-sha-hmac
mode transportcrypto ipsec transform-set STRONG esp-aes 256 esp-sha-hmac mode transport
This variant specifies AES with 256-bit key and sets transport mode (used for GRE/IPsec or end-to-end). The output shows the transform set and its mode.
Understanding the Output
The output of 'show crypto ipsec transform-set' lists each configured transform set. For each set, it shows the name, the encryption algorithm (e.g., esp-aes, esp-aes 256), the authentication algorithm (e.g., esp-sha-hmac), and the mode (tunnel or transport). In a real network, you verify that the transform set matches on both VPN peers; mismatched algorithms cause negotiation failure. A good output shows the expected algorithms; a bad output might show 'none' for encryption or authentication, or an unexpected mode. Always check that the transform set is applied to a crypto map and that the peer's transform set is identical.
CCNA Exam Tips
CCNA exam tip 1: The default mode is tunnel; transport mode is only used for GRE/IPsec or when the endpoints are the same as the VPN gateways.
CCNA exam tip 2: The transform set must match exactly on both peers (same encryption, authentication, and mode) for IPsec to establish.
CCNA exam tip 3: 'esp-aes' without a key length implies 128-bit; you can specify 192 or 256 for stronger encryption.
CCNA exam tip 4: The command does not activate the transform set; it must be referenced in a crypto map.
Common Mistakes
Mistake 1: Forgetting to apply the transform set to a crypto map – the transform set is defined but never used, so VPN fails.
Mistake 2: Using mismatched transform sets on peers (e.g., one uses esp-aes and the other uses esp-3des) – negotiation fails.
Mistake 3: Confusing 'esp-sha-hmac' with 'esp-sha' – the '-hmac' suffix is required for the HMAC variant; omitting it may cause errors.
Related Commands
crypto isakmp policy [priority]
Creates or modifies an ISAKMP (IKE) policy for IPsec VPN negotiations, defining encryption, authentication, and key exchange parameters.
crypto map [name] [seq] ipsec-isakmp
Creates or modifies a crypto map entry for IPsec VPN configuration, defining the security policies and peer parameters for IKE and IPsec negotiations.
show crypto ipsec sa
Displays the current state and statistics of IPsec security associations (SAs) to verify VPN tunnel establishment and monitor encrypted traffic.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions