pfs

Configures PFS (Perfect Forward Secrecy) for the auto site-to-site VPN tunnel or remote VPN client

PFS is the key-establishment protocol, used to secure VPN communications. If one encryption key is compromised, only data encrypted by that specific key is compromised. For PFS to exist, the key used to protect data transmissions must not be used to derive any additional keys. Options include 2, 5 and 14. This option is disabled by default.

Supported on the following devices:

Access Points: AP5010, AP310i/e, AP410i/e, AP505i, AP510i, AP510e, AP560i, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP763, AP7662, AP8163, AP8543, AP8533.
Service Platforms: NX5500, NX7500, NX9500, NX9600
Virtual Platforms: CX9000, VX9000

Syntax

pfs [14|2|5]

Parameters

pfs [14|2|5]


pfs [14\|2\|5]	Configures PFS 14 – Configures D-H Group14 (2048-bit modp) 2 – Configures D-H Group2 (1024-bit modp) 5 – Configures D-H Group5 (1536-bit modp)

Example

Site-to-site VPN tunnel:

nx9500-6C8809(config-device-B4-C7-99-6C-88-09-cryptomap-test#1)#pfs 5

nx9500-6C8809(config-device-B4-C7-99-6C-88-09-cryptomap-test#1)#show context
 crypto map test 1 ipsec-isakmp
  peer 1 ikev2 ikev2Peer1
  local-endpoint-ip 192.168.13.10
  pfs 5
  ip nat crypto
nx9500-6C8809(config-device-B4-C7-99-6C-88-09-cryptomap-test#1)#

Remote VPN client:

nx9500-6C8809(config-device-B4-C7-99-6C-88-09-cryptomap-test#2)#pfs 14

nx9500-6C8809(config-device-B4-C7-99-6C-88-09-cryptomap-test#2)#show context
 crypto map test 2 ipsec-isakmp dynamic
  peer 1 ikev1 RemoteIKEv1Peer1
  local-endpoint-ip 157.235.204.62
  pfs 14
nx9500-6C8809(config-device-B4-C7-99-6C-88-09-cryptomap-test#2)#