R3303-HP HSR6800 Routers Security Command Reference
298
Related commands
display ipsec transform-set
pfs
Use pfs to enable and configure the perfect forward secrecy (PFS) feature so that the system uses the
feature when employing the IPsec policy or IPsec profile to initiate a negotiation.
Use undo pfs to remove the configuration.
Syntax
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }
undo pfs
Default
The PFS feature is not used for negotiation.
Views
IPsec policy view, IPsec policy template view, IPsec profile view
Default command level
2: System level
Parameters
dh-group1: Uses 768-bit Diffie-Hellman group. This keyword is not available in FIPS mode.
dh-group2: Uses 1024-bit Diffie-Hellman group.
dh-group5: Uses 1536-bit Diffie-Hellman group.
dh-group14: Uses 2048-bit Diffie-Hellman group.
Usage guidelines
In terms of security and necessary calculation time, the following four groups are in the descending order:
2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit
Diffie-Hellman group (dh-group2) and 768-bit Diffie-Hellman group (dh-group1).
This command allows IPsec to perform an additional key exchange process during the negotiation phase
2, providing an additional level of security.
The local Diffie-Hellman group must be the same as that of the peer.
This command can be used only when the SAs are to be set up through IKE negotiation.
Related commands
• ipsec policy-template
• ipsec policy (system view)
• ipsec profile (system view)
Examples
# Enable and configure PFS for IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec policy policy1 200 isakmp
[Sysname-ipsec-policy-isakmp-policy1-200] pfs dh-group1