Command Reference Guide
3Com Router 3000 Ethernet Family
Command Reference Guide
Chapter 5 IPSec Configuration Commands
3Com Corporation
5-21
Example
# Set the global SA duration to 2 hours.
[3Com] ipsec sa global-duration time-based 7200
# Set the global SA duration to 10M bytes transmitted.
[3Com] ipsec sa global-duration traffic-based 10000
5.1.16 pfs
Syntax
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }
undo pfs
View
IPSec policy view, IPSec policy template view
Parameter
dh-group1: Specifies that the 768-bit Diffie-Hellman group is used.
dh-group2: Specifies that the 1024-bit Diffie-Hellman group is used.
dh-group5: Specifies that the 1536-bit Diffie-Hellman group is used.
dh-group14: Specifies that the 2048-bit Diffie-Hellman group is used.
Description
Use the pfs command to set the Perfect Forward Secrecy (PFS) feature for the IPSec
policy to initiate the negotiation.
Use the undo pfs command to set not to use the PFS feature during the negotiation.
By default, no PFS feature is used.
The command is used to add a PFS exchange process when IPSec uses the ipsec
policy to initiate a negotiation. This additional key exchange is performed during the
phase 2 negotiation so as to enhance the communication safety. The DH group
specified by the local and remote ends must be consistent, otherwise the negotiation
will fail.
Can this command be used only when the security alliance is established through IKE
style.
Related command: ipsec policy-template, ipsec policy(system view), ipsec
policy(interface view), tunnel local, tunnel remote, sa duration and proposal.
Example
# Set that PFS must be used when negotiating through ipsec policy shanghai 200.
[3Com] ipsec policy shanghai 200 isakmp