Whats the difference between a transform set and a security association?
A transform set is a generic combination of a hash and encryption algorithm used to encrypt phase two (I will get to that later) data. A transform set simply identifies which hash and encryption algorithm you want to use, it can be reused however many times you like for multiple tunnels.
I understand that in the transform set you have to state AH or ESP, but why do you also have to choose a HMAC and an ecryption algorithm? Didnt we just configure that with isakmp?
As the previous poster mentioned, IPsec and IKE are different things, corresponding to one of two phases in the entire suite. Phase one is used to initiate the tunnel, it creates a low-level tunnel over which the phase two tunnel can be established, it's what ISAKMP parameters control. Phase two is the high-level tunnel over which actual application data is sent, it is initiated over the phase one tunnel, it's what the crypto map
Also what is the point in selecting an encryption algorithm in isakmp if were using AH?
If you actually do need to, it's probably just an artifact of older configuration parameters. AH is used almost nowhere these days and most platforms are tailored for ESP configuration rather than AH.
Reasonably un-nerdy blog:americanwerewolfinbelgrade.wordpress.com/