Configure IKE Phase 2 Perfect Forward Secrecy

Use the following procedure to configure IKE Phase 2 perfect forward secrecy (PFS).

About this task

A Diffie-Hellman key exchange is done to achieve perfect forward secrecy. This ensures that the compromise of even a single key does not permit access to data other than that protected by that key.

Procedure

Enter Global Configuration mode:

enable

configure terminal
Configure the IKE Phase 2 perfect forward secrecy:

ike policy WORD<1–32> p2–pfs <enable|disable> [use-ike-group <enable|disable>][dh-group <modp768|modp1024|modp2048|any]
Optional: Disable Phase 2 perfect forward secrecy:

no ike policy <1–32> p2–pfs

Variable Definition

The following table defines parameters for the ike policy WORD<1–32> p2–pfs command.


Variable	Value
policy `WORD<1–32>`	Specifies the name of the IKE Phase 1 policy.
p2–pfs	Enables the Phase 2 perfect forward secrecy.
dh-group `<modp768\|modp1024\|modp2048\|any>`	Configures the Diffie-Hellman (DH) group to be used for Phase 2 perfect forward secrecy (PFS). The default value is modp2048. To configure this option to the default value, use the default operator with the command: default ike policy WORD<1–32> p2–pfs dh-group. Note: For Federal Information Processing Standards (FIPS) compliance, only the default value modp2048 is supported.
use-ike-group `<enable\|disable>`	Specifies whether to use the IKE Phase 1 DH group for Phase 2 PFS or not to use it. The default is enable. To set this option to the default value, use the default operator with the command: default ike policy WORD<1–32> p2–pfs use-ike-group