pfs
Function
The pfs command sets the Perfect Forward Secrecy (PFS) feature when the IPSec policy is used in the negotiation.
The undo pfs command restores the default setting.
By default, the PFS feature is not set.
This command is supported only on the NetEngine 8000 F1A.
Parameters
| Parameter | Description | Value |
|---|---|---|
| dh-group1 |
Adopts 768-bits Diffie-Hellman group in Phase 1 of the key negotiation. |
- |
| dh-group2 |
Adopts 1024-bits Diffie-Hellman group in Phase 1 of the key negotiation. |
- |
| dh-group5 |
Adopts 1536-bits Diffie-Hellman group in Phase 1 of the key negotiation. The DH groups 1, 2, and 5 are not secure. |
- |
| dh-group14 |
Adopts 2048-bits Diffie-Hellman group in Phase 1 of the key negotiation. |
- |
| dh-group19 |
Adopts 256-bits ECP group in Phase 1 of the key negotiation. |
- |
| dh-group20 |
Adopts 384-bits ECP group in Phase 1 of the key negotiation. |
- |
| dh-group21 |
Adopts 512-bits ECP group in Phase 1 of the key negotiation. |
- |
| dh-group15 |
Adopts 3072-bits Diffie-Hellman group in Phase 1 of the key negotiation. |
- |
| dh-group16 |
Adopts 4096-bits Diffie-Hellman group in Phase 1 of the key negotiation. |
- |
Usage Guidelines
Usage Scenario
The command is used to perform a PFS exchange when IPSec uses the IPSec policy to initiate a negotiation. An additional key exchange is performed during the phase 2 negotiation so as to enhance the communication safety.
The DH group specified by the local and remote ends must be consistent; otherwise, the negotiation fails.Precautions
If PFS is enabled, negotiation performance deteriorates. You are advised to disable PFS when a large number of SAs are configured. Otherwise, packet loss may occur due to tunnel rekey failures, affecting services.