Table of Contents
Advertisement
IP
C
SEC
OMMANDS
PFS
pfs
Overview
Use this command to enable PFS and set a Diffie-Hellman group for PFS in an IPsec
profile.
Use the no variant to disable PFS.
Syntax
pfs {2|5|14|15|16|18}
no pfs
Default
PFS is disabled.
Mode
IPsec Profile Configuration
Usage
Perfect Forward Secrecy (PFS) ensures generated keys, for example IPsec SA keys
are not compromised if any other keys, for example, ISAKMP SA keys are
compromised.
The specified PFS group must match the PFS group setting on the peer - especially
when IKEv2 is used for ISAKMP SA negotiation. With IKEv2, if there is a PFS group
mismatch an IPsec SA will be established and the tunnel will come up because PFS
is not required for the initial child SA negotiation. However, when the IPsec SA
rekeys it will fail due to the PFS group mismatch, and upon IPsec SA expiry the
tunnel will no longer be able to carry traffic.
Examples
To enable PFS and set a Diffie-Hellman group for PFS, use the following
commands:
awplus(config)#
awplus(config-ipsec-profile)#
To disable PFS, use the following command:
awplus(config-ipsec-profile)#
Related
crypto ipsec profile
Commands
C613-50077-01 REV A
Parameter
Description
2
1024-bit MODP Group
5
1536-bit MODP Group
14
2048-bit MODP Group
15
3072-bit MODP Group
16
4096-bit MODP Group
18
8192-bit MODP Group
crypto ipsec profile my_profile
Command Reference for AT-AR3050S
AlliedWare Plus™ Operating System - Version 5.4.5-2.x
pfs 15
no pfs
2287
- Quick Links:
- Configure Terminal
Hide quick links:
Advertisement
Table of Contents
