pfs

Syntax

pfs { dh-group2 | dh-group5 | dh-group14 }

undo pfs

View

IPsec policy view

Default level

2: System level

Parameters

dh-group2: Uses 1024-bit Diffie-Hellman group.

dh-group5: Uses 1536-bit Diffie-Hellman group.

dh-group14: Uses 2048-bit Diffie-Hellman group.

Description

Use the pfs command to enable and configure the perfect forward secrecy (PFS) feature so that the system uses the feature when employing the IPsec policy to initiate a negotiation.

Use the undo pfs command to remove the configuration.

By default, the PFS feature is not used for negotiation.

In terms of security and necessary calculation time, the following four groups are in the descending order: 2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), and 1024-bit Diffie-Hellman group (dh-group2).

This command allows IPsec to perform an additional key exchange process during the negotiation phase 2, providing an additional level of security.

The local Diffie-Hellman group must be the same as that of the peer.

Related commands: ipsec policy (system view).

Examples

# Enable and configure PFS for IPsec policy policy1.

<Sysname> system-view
[Sysname] ipsec policy policy1 200 isakmp
[Sysname-ipsec-policy-isakmp-policy1-200] pfs dh-group2