No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
pfs

pfs

Function

The pfs command enables Perfect Forward Secrecy (PFS) when the local end initiates negotiation.

The undo pfs command disables PFS when the local end initiates negotiation.

By default, PFS is not used when the local end initiates negotiation.

Format

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }

undo pfs

Parameters

Parameter

Description

Value

dh-group1

Indicates the 768-bit Diffie-Hellman group.

-

dh-group2

Indicates the 1024-bit Diffie-Hellman group.

-

dh-group5

Indicates the 1536-bit Diffie-Hellman group.

-

dh-group14

Indicates the 2048-bit Diffie-Hellman group.

-

Views

IPSec policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the local end initiates negotiation, there is an additional DH exchange in IKEv1 phase 2 or IKEv2 CREATE_CHILD_SA exchange. The additional DH exchange ensures security of the IPSec SA key and improves communication security.

Precautions

If PFS is specified at the local end, you also need to specify PFS at the remote end. The Diffie-Hellman group specified at the two ends must be the same; otherwise, negotiation fails. If one end uses the IPSec policy template mode, the two ends can use different Diffie-Hellman groups.

The 768-bit Diffie-Hellman group (group1) has potential security risks. The 2048-bit Diffie-Hellman group (group14) is recommended.

Example

# Enable the PFS feature in the IPSec policy shanghai whose sequence number is 200.

<Huawei> system-view
[Huawei] ipsec policy shanghai 200 isakmp
[Huawei-ipsec-policy-isakmp-shanghai-200] pfs dh-group14 

# Enable the PFS feature in the IPSec Efficient VPN policy evpn.

<Huawei> system-view
[Huawei] ipsec efficient-vpn evpn mode client
[Huawei-ipsec-efficient-vpn-evpn] pfs dh-group14
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 88822

Downloads: 121

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next