Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All
Specifying IPsec Security Association PFS and DH Group Parameters
You can specify the IPsec SA perfect forward secrecy (PFS) option and Diffie-Hellman prime modulus group that IPsec SA negotiations can use for this profile.
 | Note: When the client initiates the IPsec negotiation, the router can accept Diffie-Hellman prime modulus groups that are higher than those configured. |
To configure perfect forward secrecy for connections created with this IPsec tunnel configuration profile by assigning a Diffie-Hellman prime modulus group:
- From IPsec Tunnel Profile Configuration mode, specify
the perfect forward secrecy.host1(config-ipsec-tunnel-profile)#pfs group 5
Use the no version to remove PFS from the profile.
