Contents

IPsec Preferred Peer

The IP Security (IPsec) Preferred Peer feature allows you to control the circumstances by which multiple peers on a crypto map are tried in a failover scenario.

This feature includes the following capabilities:

  • Default peer configuration

  • IPsec idle-timer usage with default peer

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for IPsec Preferred Peer

  • You must have a properly defined, complete crypto map.

Restrictions for IPsec Preferred Peer

Default Peer

  • This feature must be used in conjunction with Dead Peer Detection (DPD). It is most effective on a remote site running DPD in periodic mode. DPD detects the failure of a device quickly and resets the peer list so that the default peer is tried for the next attempted connection.

  • Only one peer can be designated as the default peer in a crypto map.

  • The default peer must be the first peer in the peer list.

IPsec Idle Timer Usage with Default Peer

  • This feature works only on the crypto map for which it is configured. You cannot configure the capability globally for all crypto maps.

  • If there is a global idle timer, the crypto map idle-timer value must be different from the global value; otherwise, the idle timer is not added to the crypto map.

IPsec Failover

IPsec on the Cisco ASR 1000 Series Router supports only stateless failover. IPsec failover is a feature that increases the total uptime (or availability) of an IPsec network. This is accomplished traditionally by employing a redundant (standby) router in addition to the original (active) router. If the active router becomes unavailable for any reason, the standby router takes over the processing of IKE and IPsec.

IPsec failover falls into two categories: stateless failover and stateful failover. Stateless failover uses protocols such as the Hot Standby Router Protocol (HSRP) to provide primary-to-secondary cutover and also allows the active and standby VPN gateways to share a common virtual IP address.

Information About IPsec Preferred Peer

IPsec

IPsec is a framework of open standards developed by the Internet Engineering Task Force (IETF). IPsec provides security for transmission of sensitive information over unprotected networks such as the Internet. IPsec acts at the network layer, protecting and authenticating Internet Protocol (IP) packets between participating IPsec devices (peers), such as Cisco routers.

IPsec provides the following network security services. These services are optional. In general, local security policy dictates the use of one or more of these services:

  • Data Confidentiality--The IPsec sender can encrypt packets before transmitting them across a network.

  • Data Integrity--The IPsec receiver can authenticate packets sent by the IPsec sender to ensure that the data has not been altered during transmission.

  • Data Origin Authentication--The IPsec receiver can authenticate the source of the IPsec packets sent.

  • Anti-Replay--The IPsec receiver can detect and reject replayed packets.

With IPsec, data can be transmitted across a public network without fear of observation, modification, or spoofing. This enables applications such as Virtual Private Networks (VPNs), including intranets, extranets, and remote user access.

IPsec provides secure tunnels between two peers, such as two routers. You define which packets are considered sensitive and should be sent through these secure tunnels, and you define the parameters that should be used to protect these sensitive packets, by specifying characteristics of these tunnels. When the IPsec peer sees such a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer.

Dead Peer Detection

The VPN Client uses a keepalive mechanism called Dead Peer Detection (DPD) to check the availability of the VPN device on the other side of an IPsec tunnel. If the network is unusually busy or unreliable, you can increase the number of seconds that the VPN Client will wait before deciding whether the peer is no longer active.

Keepalive packets are not sent if traffic is received. This lowers the overhead associated with DPD, because on a heavily loaded network very few keepalive packets will be sent because traffic is being received on the tunnels. In addition, DPD sends keepalive packets only if there is user traffic to send (and no user traffic is received).

You can configure Internet Key Exchange (IKE) DPD so that DPD sends the keepalive packets whether or not there is outbound user data. That is, as long as there is no inbound user data, the keepalive packets are sent at the configured keepalive interval.

Default Peer Configuration

If a connection timeout occurs, the connection to the current peer is closed. The set peer command allows you to configure the first peer as the default peer. If there is a default peer, the next time a connection is initiated, the connection is directed to the default peer instead of to the next peer in the peer list. If the default peer is unresponsive, the next peer in the peer list becomes the current peer and future connections through the crypto map try that peer.

This capability is useful when traffic on a physical link stops due to the failure of a remote peer. DPD indicates that the remote peer is unavailable, but that peer remains the current peer.

A default peer facilitates the failover to a preferred peer that was previously unavailable, but has returned to service. Users can give preference to certain peers in the event of a failover. This is useful if the original failure was due to a network connectivity problem rather than failure of the remote peer.

Idle Timers

When a router creates an IPsec security association (SA) for a peer, resources must be allocated to maintain the SA. The SA requires both memory and several managed timers. For idle peers, these resources are wasted. If enough resources are wasted by idle peers, the router could be prevented from creating new SAs with other peers.

IPsec SA idle timers increase the availability of resources by deleting SAs associated with idle peers. Because IPsec SA idle timers prevent the wasting of resources by idle peers, more resources are available to create new SAs when required.

If IPsec SA idle timers are not configured, only the global lifetimes for IPsec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity.

IPsec Idle-Timer Usage with Default Peer

If all connections to the current peer time out, the next time a connection is initiated it is directed to the default peer configured in the set peer command. If a default peer is not configured and there is a connection timeout, the current peer remains the one that timed out.

This enhancement helps facilitate a failover to a preferred peer that was previously unavailable but is in service now.

Peers on Crypto Maps

A crypto map set can contain multiple entries, each with a different access list. The router searches the crypto map entries in order, and attempts to match the packet to the access list specified in that entry.

When a packet matches a permit entry in a particular access list, and the corresponding crypto map entry is tagged as Cisco, connections are established with the remote peer as specified in the set peer statements within the crypto map.

How to Configure IPsec Preferred Peer

Configuring a Default Peer

To configure a default peer, perform the following steps.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]

    4.    set peer {host-name [dynamic] [default] | ip-address [default] }

    5.    exit


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]


    Example:
    Router(config)# crypto map mymap 10 ipsec-isakmp
     

    Enters crypto map configuration mode. Creates or modifies a crypto map entry, creates a crypto profile that provides a template for configuration of dynamically created crypto maps, or configures a client accounting list.

     
    Step 4 set peer {host-name [dynamic] [default] | ip-address [default] }


    Example:
    Router(config-crypto-map)# set peer 10.0.0.2 default
     

    Specifies an IPsec peer in a crypto map entry. Ensures that the first peer specified is defined as the default peer.

     
    Step 5 exit


    Example:
    Router(config-crypto-map)# exit
     

    Exits crypto map configuration mode and returns to global configuration mode.

     

    Configuring the Idle Timer

    To configure the idle timer, perform the following steps.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]

      4.    set security-association idletime seconds [default]

      5.    exit


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Router> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 configure terminal


      Example:
      Router# configure terminal
       

      Enters global configuration mode.

       
      Step 3 crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]


      Example:
      Router(config)# crypto map mymap 10 ipsec-isakmp
       

      Enters crypto map configuration mode. Creates or modifies a crypto map entry, creates a crypto profile that provides a template for configuration of dynamically created crypto maps, or configures a client accounting list.

       
      Step 4 set security-association idletime seconds [default]


      Example:
      Router(config-crypto-map)# set security-association idletime 120 default
       

      Specifies the maximum amount of time for which the current peer can be idle before the default peer is used.

       
      Step 5 exit


      Example:
      Router(config-crypto-map)# exit
       

      Exits crypto map configuration mode and returns to global configuration mode.

       

      Configuration Examples for IPsec Preferred Peer

      Configuring a Default Peer Example

      The following example shows that the first peer, at IP address 10.1.1.1, is the default peer: 

      crypto map tohub 1 ipsec-isakmp 
 set peer 10.1.1.1 default 
 set peer 10.2.2.2

      Configuring the IPsec Idle Timer Example

      In the following example, if the current peer is idle for 120 seconds, the default peer 10.1.1.1 (which was specified in the set peercommand) is used for the next attempted connection:

      crypto map tohub 1 ipsec-isakmp 
 set peer 10.1.1.1 default 
 set peer 10.2.2.2 
 set security-association idletime 120 default

      Additional References

      Related Documents

      Related Topic

      Document Title

      Cisco IOS commands

      Cisco IOS Master Commands List, All Releases

      IPsec

      Security for VPNs with IPsec

      Crypto map

      • Security for VPNs with IPsec

      • Configuring Internet Key Exchange for IPsec VPNs

      DPD

      IPsec Dead Peer Detection Periodic Message Option

      Security commands

      Cisco IOS Security Command Reference

      MIBs

      MIBs

      MIBs Link

      None.

      To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL:

      http:/​/​www.cisco.com/​go/​mibs

      Technical Assistance

      Description

      Link

      The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

      Feature Information for IPsec Preferred Peer

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
      Table 1 Feature Information for IPsec Preferred Peer

      Feature Name

      Releases

      Feature Information

      IPsec Preferred Peer

      Cisco IOS XE Release 2.1

      The IPsec Preferred Peer feature allows you to control the circumstances by which multiple peers on a crypto map are tried in a failover scenario.

      The following commands were introduced or modified: set peer (IPsec) and set security-association idle-time.

      Glossary

      crypto access list --A list that defines which IP traffic will be protected by crypto and which traffic will not be protected by crypto.

      crypto map --A map that specifies which traffic should be protected by IPsec, where IPsec-protected traffic should be sent, and what IPsec transform sets should be applied to this traffic.

      dead peer detection --A feature that allows the router to detect an unresponsive peer.

      keepalive message --A message sent by one network device to inform another network device that the virtual circuit between the two is still active.

      peer --Router or other device that participates in IPsec and IKE. In IPsec, peers are devices or entities that communicate securely either through the exchange of keys or the exchange of digital certificates.

      SA --security association. An instance of security policy and keying material applied to a data flow. Both IKE and IPsec use SAs, although SAs are independent of one another. IPsec SAs are unidirectional and are unique in each security protocol. An IKE SA is used by IKE only, and unlike the IPsec SA, it is bidirectional. IKE negotiates and establishes SAs on behalf of IPsec. A user also can establish IPsec SAs manually. A set of SAs are needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports Encapsulating Security Payload (ESP) between peers, one ESP SA is required for each direction. SAs are identified uniquely by destination (IPsec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI).

      transform set --An acceptable combination of security protocols, algorithms, and other settings to apply to IPsec-protected traffic. During the IPsec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

      IPsec Preferred Peer

      IPsec Preferred Peer

      The IP Security (IPsec) Preferred Peer feature allows you to control the circumstances by which multiple peers on a crypto map are tried in a failover scenario.

      This feature includes the following capabilities:

      • Default peer configuration

      • IPsec idle-timer usage with default peer

      Finding Feature Information

      Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

      Prerequisites for IPsec Preferred Peer

      • You must have a properly defined, complete crypto map.

      Restrictions for IPsec Preferred Peer

      Default Peer

      • This feature must be used in conjunction with Dead Peer Detection (DPD). It is most effective on a remote site running DPD in periodic mode. DPD detects the failure of a device quickly and resets the peer list so that the default peer is tried for the next attempted connection.

      • Only one peer can be designated as the default peer in a crypto map.

      • The default peer must be the first peer in the peer list.

      IPsec Idle Timer Usage with Default Peer

      • This feature works only on the crypto map for which it is configured. You cannot configure the capability globally for all crypto maps.

      • If there is a global idle timer, the crypto map idle-timer value must be different from the global value; otherwise, the idle timer is not added to the crypto map.

      IPsec Failover

      IPsec on the Cisco ASR 1000 Series Router supports only stateless failover. IPsec failover is a feature that increases the total uptime (or availability) of an IPsec network. This is accomplished traditionally by employing a redundant (standby) router in addition to the original (active) router. If the active router becomes unavailable for any reason, the standby router takes over the processing of IKE and IPsec.

      IPsec failover falls into two categories: stateless failover and stateful failover. Stateless failover uses protocols such as the Hot Standby Router Protocol (HSRP) to provide primary-to-secondary cutover and also allows the active and standby VPN gateways to share a common virtual IP address.

      Information About IPsec Preferred Peer

      IPsec

      IPsec is a framework of open standards developed by the Internet Engineering Task Force (IETF). IPsec provides security for transmission of sensitive information over unprotected networks such as the Internet. IPsec acts at the network layer, protecting and authenticating Internet Protocol (IP) packets between participating IPsec devices (peers), such as Cisco routers.

      IPsec provides the following network security services. These services are optional. In general, local security policy dictates the use of one or more of these services:

      • Data Confidentiality--The IPsec sender can encrypt packets before transmitting them across a network.

      • Data Integrity--The IPsec receiver can authenticate packets sent by the IPsec sender to ensure that the data has not been altered during transmission.

      • Data Origin Authentication--The IPsec receiver can authenticate the source of the IPsec packets sent.

      • Anti-Replay--The IPsec receiver can detect and reject replayed packets.

      With IPsec, data can be transmitted across a public network without fear of observation, modification, or spoofing. This enables applications such as Virtual Private Networks (VPNs), including intranets, extranets, and remote user access.

      IPsec provides secure tunnels between two peers, such as two routers. You define which packets are considered sensitive and should be sent through these secure tunnels, and you define the parameters that should be used to protect these sensitive packets, by specifying characteristics of these tunnels. When the IPsec peer sees such a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer.

      Dead Peer Detection

      The VPN Client uses a keepalive mechanism called Dead Peer Detection (DPD) to check the availability of the VPN device on the other side of an IPsec tunnel. If the network is unusually busy or unreliable, you can increase the number of seconds that the VPN Client will wait before deciding whether the peer is no longer active.

      Keepalive packets are not sent if traffic is received. This lowers the overhead associated with DPD, because on a heavily loaded network very few keepalive packets will be sent because traffic is being received on the tunnels. In addition, DPD sends keepalive packets only if there is user traffic to send (and no user traffic is received).

      You can configure Internet Key Exchange (IKE) DPD so that DPD sends the keepalive packets whether or not there is outbound user data. That is, as long as there is no inbound user data, the keepalive packets are sent at the configured keepalive interval.

      Default Peer Configuration

      If a connection timeout occurs, the connection to the current peer is closed. The set peer command allows you to configure the first peer as the default peer. If there is a default peer, the next time a connection is initiated, the connection is directed to the default peer instead of to the next peer in the peer list. If the default peer is unresponsive, the next peer in the peer list becomes the current peer and future connections through the crypto map try that peer.

      This capability is useful when traffic on a physical link stops due to the failure of a remote peer. DPD indicates that the remote peer is unavailable, but that peer remains the current peer.

      A default peer facilitates the failover to a preferred peer that was previously unavailable, but has returned to service. Users can give preference to certain peers in the event of a failover. This is useful if the original failure was due to a network connectivity problem rather than failure of the remote peer.

      Idle Timers

      When a router creates an IPsec security association (SA) for a peer, resources must be allocated to maintain the SA. The SA requires both memory and several managed timers. For idle peers, these resources are wasted. If enough resources are wasted by idle peers, the router could be prevented from creating new SAs with other peers.

      IPsec SA idle timers increase the availability of resources by deleting SAs associated with idle peers. Because IPsec SA idle timers prevent the wasting of resources by idle peers, more resources are available to create new SAs when required.

      If IPsec SA idle timers are not configured, only the global lifetimes for IPsec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity.

      IPsec Idle-Timer Usage with Default Peer

      If all connections to the current peer time out, the next time a connection is initiated it is directed to the default peer configured in the set peer command. If a default peer is not configured and there is a connection timeout, the current peer remains the one that timed out.

      This enhancement helps facilitate a failover to a preferred peer that was previously unavailable but is in service now.

      Peers on Crypto Maps

      A crypto map set can contain multiple entries, each with a different access list. The router searches the crypto map entries in order, and attempts to match the packet to the access list specified in that entry.

      When a packet matches a permit entry in a particular access list, and the corresponding crypto map entry is tagged as Cisco, connections are established with the remote peer as specified in the set peer statements within the crypto map.

      How to Configure IPsec Preferred Peer

      Configuring a Default Peer

      To configure a default peer, perform the following steps.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]

        4.    set peer {host-name [dynamic] [default] | ip-address [default] }

        5.    exit


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Router> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2 configure terminal


        Example:
        Router# configure terminal
         

        Enters global configuration mode.

         
        Step 3 crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]


        Example:
        Router(config)# crypto map mymap 10 ipsec-isakmp
         

        Enters crypto map configuration mode. Creates or modifies a crypto map entry, creates a crypto profile that provides a template for configuration of dynamically created crypto maps, or configures a client accounting list.

         
        Step 4 set peer {host-name [dynamic] [default] | ip-address [default] }


        Example:
        Router(config-crypto-map)# set peer 10.0.0.2 default
         

        Specifies an IPsec peer in a crypto map entry. Ensures that the first peer specified is defined as the default peer.

         
        Step 5 exit


        Example:
        Router(config-crypto-map)# exit
         

        Exits crypto map configuration mode and returns to global configuration mode.

         

        Configuring the Idle Timer

        To configure the idle timer, perform the following steps.

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]

          4.    set security-association idletime seconds [default]

          5.    exit


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Router> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.

           
          Step 2 configure terminal


          Example:
          Router# configure terminal
           

          Enters global configuration mode.

           
          Step 3 crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]


          Example:
          Router(config)# crypto map mymap 10 ipsec-isakmp
           

          Enters crypto map configuration mode. Creates or modifies a crypto map entry, creates a crypto profile that provides a template for configuration of dynamically created crypto maps, or configures a client accounting list.

           
          Step 4 set security-association idletime seconds [default]


          Example:
          Router(config-crypto-map)# set security-association idletime 120 default
           

          Specifies the maximum amount of time for which the current peer can be idle before the default peer is used.

           
          Step 5 exit


          Example:
          Router(config-crypto-map)# exit
           

          Exits crypto map configuration mode and returns to global configuration mode.

           

          Configuration Examples for IPsec Preferred Peer

          Configuring a Default Peer Example

          The following example shows that the first peer, at IP address 10.1.1.1, is the default peer: 

          crypto map tohub 1 ipsec-isakmp 
 set peer 10.1.1.1 default 
 set peer 10.2.2.2

          Configuring the IPsec Idle Timer Example

          In the following example, if the current peer is idle for 120 seconds, the default peer 10.1.1.1 (which was specified in the set peercommand) is used for the next attempted connection:

          crypto map tohub 1 ipsec-isakmp 
 set peer 10.1.1.1 default 
 set peer 10.2.2.2 
 set security-association idletime 120 default

          Additional References

          Related Documents

          Related Topic

          Document Title

          Cisco IOS commands

          Cisco IOS Master Commands List, All Releases

          IPsec

          Security for VPNs with IPsec

          Crypto map

          • Security for VPNs with IPsec

          • Configuring Internet Key Exchange for IPsec VPNs

          DPD

          IPsec Dead Peer Detection Periodic Message Option

          Security commands

          Cisco IOS Security Command Reference

          MIBs

          MIBs

          MIBs Link

          None.

          To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL:

          http:/​/​www.cisco.com/​go/​mibs

          Technical Assistance

          Description

          Link

          The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

          http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

          Feature Information for IPsec Preferred Peer

          The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

          Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
          Table 1 Feature Information for IPsec Preferred Peer

          Feature Name

          Releases

          Feature Information

          IPsec Preferred Peer

          Cisco IOS XE Release 2.1

          The IPsec Preferred Peer feature allows you to control the circumstances by which multiple peers on a crypto map are tried in a failover scenario.

          The following commands were introduced or modified: set peer (IPsec) and set security-association idle-time.

          Glossary

          crypto access list --A list that defines which IP traffic will be protected by crypto and which traffic will not be protected by crypto.

          crypto map --A map that specifies which traffic should be protected by IPsec, where IPsec-protected traffic should be sent, and what IPsec transform sets should be applied to this traffic.

          dead peer detection --A feature that allows the router to detect an unresponsive peer.

          keepalive message --A message sent by one network device to inform another network device that the virtual circuit between the two is still active.

          peer --Router or other device that participates in IPsec and IKE. In IPsec, peers are devices or entities that communicate securely either through the exchange of keys or the exchange of digital certificates.

          SA --security association. An instance of security policy and keying material applied to a data flow. Both IKE and IPsec use SAs, although SAs are independent of one another. IPsec SAs are unidirectional and are unique in each security protocol. An IKE SA is used by IKE only, and unlike the IPsec SA, it is bidirectional. IKE negotiates and establishes SAs on behalf of IPsec. A user also can establish IPsec SAs manually. A set of SAs are needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports Encapsulating Security Payload (ESP) between peers, one ESP SA is required for each direction. SAs are identified uniquely by destination (IPsec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI).

          transform set --An acceptable combination of security protocols, algorithms, and other settings to apply to IPsec-protected traffic. During the IPsec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.