set pfs

Last Updated : Nov 06, 2012 |

Specifies whether each IKE phase 2 negotiation will employ Perfect Forward Secrecy (PFS), and if yes, which Diffie-Hellman group to employ. PFS ensures that even if someone were to discover the long-term secret(s), the attacker would not be able to recover the session keys, both past and present. In addition, the discovery of a session key compromises neither the long-term secrets nor the other session keys.

Use no set pfs to disable PFS for IKE phase 2 (default setting).

Syntax

[no] set pfs [group1 | group2 | group5 | group14]

Note:

Using set pfs with no parameters sets the PFS group to 1.

Parameters


Parameter	Description	Possible Values	Default Value
group1	Keyword specifying that IKE employ the 768-bit Diffie-Hellman prime modulus group
group2	Keyword specifying that IKE employ the 1,024-bit Diffie-Hellman prime modulus group
group5	Keyword specifying that IKE employ the 1536-bit Diffie-Hellman prime modulus group
group14	Keyword specifying that IKE employ the 2048-bit Diffie-Hellman prime modulus group

User level

read-write

Context

crypto ipsec transform-set

Example

To specify that IKE employs the 768-bit Diffie-Hellman prime modulus group:

Gxxx-001(config-transform:ts1)# set pfs group1

Send Feedback

AVAYA DOCUMENTATION CENTER

No results found