For IPsec tunnels or IPsec gateways, the SR OS allows users to configure up to four IKE transform and four IPsec transform configurations for IKE and ESP traffic.
IKE transform parameters are configured in the config>ipsec>ike-transform and referenced in the ike-policy, while IPsec transform parameters are configured in the config>ipsec>ipsec-transform context and referenced in the tunnel template for dynamic tunnels and under config>service>vprn>interface>sap>ipsec-tunnel>dynamic-keying for static tunnels.
IKE transform includes the following configurations:
IKE encryption algorithm
IKE authentication algorithm
Diffie-Hellman group
IKE SA lifetime
IPsec transform includes the following configurations:
ESP encryption algorithm
ESP authentication algorithm
Diffie-Hellman group for CHILD SA rekey with PFS
CHILD SA lifetime
If multiple ike-transform and ipsec-transform parameters are configured for IPsec gateways and IPsec tunnels, the system uses the configured transforms to negotiate with the peer. This negotiation allows IPsec gateways and IPsec tunnels to support peers with different crypto algorithms.