Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


perfect-forward-secrecy (Security IPsec)



Hierarchy Level

Release Information

Statement introduced in Junos OS Release 8.5.

Support for group14 options added in Junos OS Release 11.1.

Support for group19, group20, and group24 options added in Junos OS Release 12.1X45-D10.

group15, group16, and group21 options introduced in Junos OS Release 19.1R1 on SRX5000 line of devices with SRX5K-SPC3 card.


Specify Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. PFS generates each new encryption key independently from the previous key.


The device deletes existing IPsec SAs when you update the perfect-forward-secrecy configuration in the IPsec policy.


  • group1—Diffie-Hellman Group 1.

  • group14—Diffie-Hellman Group 14.

  • group19—Diffie-Hellman Group 19.

  • group2—Diffie-Hellman Group 2.

  • group20—Diffie-Hellman Group 20.

  • group24—Diffie-Hellman Group 24.

  • group5—Diffie-Hellman Group 5.

  • group15—Diffie-Hellman Group 15.

  • group16—Diffie-Hellman Group 16.

  • group21—Diffie-Hellman Group 21.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Related Documentation