< Home

pfs

Function

The pfs command enables PFS when the local end initiates IPSec tunnel negotiation.

The undo pfs command disables PFS when the local end initiates IPSec tunnel negotiation.

By default, PFS is not used when the local end initiates IPSec tunnel negotiation.

Format

pfs { dh-group14 | dh-group19 | dh-group20 | dh-group21 }

undo pfs

Parameters

Parameter Description Value

dh-group14

Uses the 2048-bit DH group.

-

dh-group19

Uses the 256-bit Elliptic Curve Groups modulo a Prime (ECP) DH group.

-

dh-group20

Uses the 384-bit ECP DH group.

-

dh-group21

Uses the 521-bit ECP DH group.

-

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the local end initiates negotiation, there is an additional DH exchange in IKEv1 phase 2 or IKEv2 CREATE_CHILD_SA exchange. The additional DH exchange ensures security of the IPSec SA key and improves communication security.

Precautions

The system software does not support the dh-group1, dh-group2, and dh-group5 parameters. To use these DH groups, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to specify other DH groups.

Example

# Enable the PFS feature in the IPSec Efficient VPN policy evpn.
<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn evpn mode client
[HUAWEI-ipsec-efficient-vpn-evpn] pfs dh-group14
Parent Topic: IPSec Configuration Commands (IPSec Efficient VPN)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >