set transform-set [name]
Defines an IPsec transform set, which specifies the encryption and authentication algorithms used to protect VPN traffic, and is applied to a crypto map entry.
set transform-set [name]When to Use This Command
- Configuring a VPN between two branch offices using AES-256 encryption and SHA-256 authentication.
- Setting up a remote access VPN for teleworkers with 3DES encryption and MD5 authentication.
- Creating multiple transform sets for different VPN peers with varying security requirements.
- Modifying an existing transform set to upgrade from SHA-1 to SHA-256 for stronger integrity.
Command Examples
Basic transform set with ESP encryption and authentication
set transform-set ESP-AES256-SHA256Router(config-crypto-map)# set transform-set ESP-AES256-SHA256 Router(config-crypto-map)#
The command assigns the pre-defined transform set named 'ESP-AES256-SHA256' to the crypto map entry. No output is displayed if successful; the prompt returns to crypto map config mode.
Creating a transform set and applying it to a crypto map
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map MYMAP 10 ipsec-isakmp
set transform-set ESP-3DES-MD5Router(config)# crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac Router(cfg-crypto-trans)# exit Router(config)# crypto map MYMAP 10 ipsec-isakmp Router(config-crypto-map)# set transform-set ESP-3DES-MD5 Router(config-crypto-map)#
First, a transform set named 'ESP-3DES-MD5' is created using 3DES encryption and MD5 HMAC authentication. Then, in crypto map configuration mode for map 'MYMAP' sequence 10, the transform set is applied. No output confirms success.
Understanding the Output
The 'set transform-set' command does not produce any output on its own; it simply associates a transform set with a crypto map entry. To verify the configuration, use 'show crypto map' or 'show crypto ipsec transform-set'. In 'show crypto map', the transform set name appears under each crypto map entry. For example, 'Transform set={ESP-AES256-SHA256}' indicates the transform set is applied. A missing or incorrect transform set will cause IPsec negotiation failures. Ensure the transform set exists and matches the peer's configuration.
CCNA Exam Tips
CCNA exam tip 1: Transform sets must match on both VPN peers; mismatched algorithms cause IKE phase 2 failure.
CCNA exam tip 2: The 'set transform-set' command is used in crypto map config mode, not global config.
CCNA exam tip 3: Know that ESP provides both encryption and authentication; AH is rarely used and not in CCNA scope.
CCNA exam tip 4: Transform sets are created globally and then referenced by name in the crypto map.
Common Mistakes
Mistake 1: Forgetting to create the transform set before referencing it in the crypto map, resulting in an error.
Mistake 2: Using incompatible algorithms (e.g., esp-aes and esp-sha-hmac) that are not supported together.
Mistake 3: Applying the transform set in global config mode instead of crypto map config mode.
Related Commands
crypto ipsec transform-set [name] esp-aes esp-sha-hmac
Defines an IPsec transform set specifying the encryption and authentication algorithms to protect VPN traffic, used when configuring an IPsec VPN policy.
show crypto map
Displays the configured crypto map entries, including their match criteria, peer addresses, and transform sets, used to verify IPsec VPN policy configuration.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions