[x]

IPsec configuration commands > pfs

 

 Next

pfs

Syntax

pfs dh-group14

undo pfs

View

IPsec policy view

Default level

2: System level

Parameters

dh-group14: Uses 2048-bit Diffie-Hellman group.

Description

Use the pfs command to enable and configure the perfect forward secrecy (PFS) feature so that the system uses the feature when employing the IPsec policy to initiate a negotiation.

Use the undo pfs command to remove the configuration.

By default, the PFS feature is not used for negotiation.

This command is supported only in FIPS mode.

This command allows IPsec to perform an additional key exchange process during the negotiation phase 2, providing an additional level of security.

The local Diffie-Hellman group must be the same as that of the peer.

Related commands: ipsec policy (system view).

Examples

# Enable and configure PFS for IPsec policy policy1.

<Sysname> system-view
[Sysname] ipsec policy policy1 200 isakmp
[Sysname-ipsec-policy-isakmp-policy1-200] pfs dh-group14

prev

 

up

 next

ipsec session idle-time 

home

 policy enable

© Copyright 2016 Hewlett Packard Enterprise Development LP