Table of Contents
Advertisement
Command Reference Guide
set pfs
Use the set pfs command to choose the type of perfect forward secrecy (PFS), if any, that will be required
during the IPsec negotiation of security associations (SAs) for this crypto map. Use the no form of this
command to return to the default setting. Variations of this command include:
set pfs group1
set pfs group2
set pfs group5
set pfs group1 legacy-peer
set pfs group2 legacy-peer
set pfs group5 legacy-peer
Syntax Description
group1
group2
group5
legacy-peer
Default Values
By default, no PFS will be used during IPsec SA key generation.
Command History
Release 4.1
Release 15.1
Release 17.6/A2.04
Functional Notes
If left at the default setting, no PFS will be used during IPSec SA key generation. If PFS is specified, then
the specified Diffie-Hellman Group exchange will be used for the initial and all subsequent key generation,
thus providing no data linkage between prior keys and future keys.
Usage Examples
The following example specifies use of the Diffie-Hellman Group 1 exchange during IPSec SA key
generation:
(config)#crypto map MyMap 100 ipsec-ike
(config-crypto-map)#set pfs group1
60000CRG0-35E
Requires IPSec to use Diffie-Hellman Group 1 (768-bit modulus) exchange
during IPSec security association (SA) key generation.
Requires IPSec to use Diffie-Hellman Group 2 (1024-bit modulus)
exchange during IPSec SA key generation.
Requires IPSec to use Diffie-Hellman Group 5 (1536-bit modulus)
exchange during IPSec SA key generation.
Optional. Specifies using the Diffie-Hellman secret generation for legacy
peers (running AOS versions prior to A1.08 for voice products or 17.6.1 for
data products).
Command was introduced.
Command was expanded to include the group5 parameter.
Command was expanded to include legacy-peer option.
Copyright © 2012 ADTRAN, Inc.
Crypto Map IKE Command Set
3929
Advertisement
Table of Contents
