[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring Perfect Forward Secrecy

PFS provides additional security by means of a Diffie-Hellman shared secret value. With PFS, if one key is compromised, previous and subsequent keys are secure because they are not derived from previous keys. This statement is optional.

To configure PFS, include the perfect-forward-secrecy statement and specify a Diffie-Hellman group at the [edit security ipsec policy ipsec-policy-name] hierarchy level:



[edit security ipsec policy ipsec-policy-name]

perfect-forward-secrecy {
keys (group1 | group2);
}

The key can be one of the following:

group1—Specifies that IKE use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
group2—Specifies that IKE use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

group2 provides more security than group1, but requires more processing time.

[Contents] [Prev] [Next] [Index] [Report an Error]