< Home

pfs

Function

The pfs command enables PFS when the local end initiates IPSec tunnel negotiation.

The undo pfs command disables PFS when the local end initiates IPSec tunnel negotiation.

By default, PFS is not used when the local end initiates IPSec tunnel negotiation.

Format

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group15 | dh-group16 | dh-group18 | dh-group19 | dh-group20 | dh-group21 | dh-group24 }

undo pfs

Parameters

Parameter Description Value

dh-group1

Uses the 768-bit DH group.

-

dh-group2

Uses the 1024-bit DH group.

-

dh-group5

Uses the 1536-bit DH group.

-

dh-group14

Uses the 2048-bit DH group.

-

dh-group15

Uses the 3072-bit DH group.

-

dh-group16

Uses the 4096-bit DH group.

-

dh-group18

Uses the 8192-bit DH group.

-

dh-group19

Uses the 256-bit Elliptic Curve Groups modulo a Prime (ECP) DH group.

-

dh-group20

Uses the 384-bit ECP DH group.

-

dh-group21

Uses the 521-bit ECP DH group.

-

dh-group24

Uses the 2048-bit DH group that includes a 256-bit sub-group.

-

Views

ISAKMP IPSec policy view, IPSec policy template view, IPSec profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the local end initiates negotiation, there is an additional DH exchange in IKEv1 phase 2 or IKEv2 CREATE_CHILD_SA exchange. The additional DH exchange ensures security of the IPSec SA key and improves communication security.

Precautions

By default, the device does not support the dh-group1, dh-group2, and dh-group5 parameters. To use these parameters, install the weak security algorithm component package (product_version_WEAKEA.mod). For details, see Dynamic Loading. The dh-group1, dh-group2, and dh-group5 have potential security risks. The other DH groups are recommended.

The dh-group18 algorithm is complex and time-consuming. If the IPSec SA aging time is short, IPSec SA re-negotiation may fail. Therefore, when configuring dh-group18, increase the IPSec SA aging time. The default IPSec SA aging time 3600s is recommended.

Table 1 describes the requirement for consistency of the PFS DH groups configured on the local and remote ends when the PFS function is enabled.
Table 1 Description of PFS DH groups

Security Policy Mode on the Local and Remote Ends

Description

IPSec policy in ISAKMP mode on both ends

The DH groups specified on the two ends must be the same; otherwise, the IPSec SA negotiation fails.

IPSec policy in ISAKMP mode on one end and IPSec policy configured using an IPSec policy template on the other end

  • If PFS is enabled in the IPSec policy template:

    The DH groups specified on the two ends must be the same; otherwise, the IPSec SA negotiation fails.

  • If PFS is disabled in the IPSec policy template:

    The IPSec SA negotiation may succeed when the DH groups specified on the two ends are different. The responder uses the DH group on the initiator.

IPSec profile on both ends

The DH groups specified on the two ends must be the same; otherwise, the IPSec SA negotiation fails.

Example

# Use PFS when the IPSec policy named policy1 is used in negotiation. 
<sysname> system-view
[sysname] ipsec policy policy1 1 isakmp
[sysname-ipsec-policy-isakmp-policy1-1] pfs dh-group14
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >