Configure IKE Phase 2 Perfect Forward Secrecy
Use the following procedure to configure IKE Phase 2 perfect forward secrecy (PFS).
About this task
A Diffie-Hellman key exchange is done to achieve perfect forward secrecy. This ensures that the compromise of even a single key does not permit access to data other than that protected by that key.
Procedure
Variable Definition
The following table defines parameters for the ike policy WORD<1–32> p2–pfs command.
Variable |
Value |
---|---|
policy WORD<1–32> |
Specifies the name of the IKE Phase 1 policy. |
p2–pfs |
Enables the Phase 2 perfect forward secrecy. |
dh-group <modp768|modp1024|modp2048|any> |
Configures the Diffie-Hellman (DH) group to be used for Phase 2 perfect forward secrecy (PFS). The default value is modp2048. To configure this option to the default value, use the default operator with the command: default ike policy WORD<1–32> p2–pfs dh-group. Note:
For Federal Information Processing Standards (FIPS) compliance, only the default value modp2048 is supported. |
use-ike-group <enable|disable> |
Specifies whether to use the IKE Phase 1 DH group for Phase 2 PFS or not to use it. The default is enable. To set this option to the default value, use the default operator with the command: default ike policy WORD<1–32> p2–pfs use-ike-group |