Configure IKE Phase 2 Perfect Forward Secrecy

Use the following procedure to configure IKE Phase 2 perfect forward secrecy (PFS).

About this task

A Diffie-Hellman key exchange is done to achieve perfect forward secrecy. This ensures that the compromise of even a single key does not permit access to data other than that protected by that key.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the IKE Phase 2 perfect forward secrecy:

    ike policy WORD<1–32> p2–pfs <enable|disable> [use-ike-group <enable|disable>][dh-group <modp768|modp1024|modp2048|any]

  3. Optional: Disable Phase 2 perfect forward secrecy:

    no ike policy <1–32> p2–pfs

Variable Definition

The following table defines parameters for the ike policy WORD<1–32> p2–pfs command.

Variable

Value

policy WORD<1–32>

Specifies the name of the IKE Phase 1 policy.

p2–pfs

Enables the Phase 2 perfect forward secrecy.

dh-group <modp768|modp1024|modp2048|any>

Configures the Diffie-Hellman (DH) group to be used for Phase 2 perfect forward secrecy (PFS). The default value is modp2048. To configure this option to the default value, use the default operator with the command: default ike policy WORD<1–32> p2–pfs dh-group.

Note:

For Federal Information Processing Standards (FIPS) compliance, only the default value modp2048 is supported.

use-ike-group <enable|disable>

Specifies whether to use the IKE Phase 1 DH group for Phase 2 PFS or not to use it. The default is enable. To set this option to the default value, use the default operator with the command: default ike policy WORD<1–32> p2–pfs use-ike-group