No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).



The pfs command enables Perfect Forward Secrecy (PFS) when the local end initiates negotiation.

The undo pfs command disables PFS when the local end initiates negotiation.

By default, PFS is not used when the local end initiates negotiation.


pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }

undo pfs






Indicates the 768-bit Diffie-Hellman group.



Indicates the 1024-bit Diffie-Hellman group.



Indicates the 1536-bit Diffie-Hellman group.



Indicates the 2048-bit Diffie-Hellman group.



IPSec policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the local end initiates negotiation, there is an additional DH exchange in IKEv1 phase 2 or IKEv2 CREATE_CHILD_SA exchange. The additional DH exchange ensures security of the IPSec SA key and improves communication security.


If PFS is specified at the local end, you also need to specify PFS at the remote end. The Diffie-Hellman group specified at the two ends must be the same; otherwise, negotiation fails. If one end uses the IPSec policy template mode, the two ends can use different Diffie-Hellman groups.

The 768-bit Diffie-Hellman group (group1) has potential security risks. The 2048-bit Diffie-Hellman group (group14) is recommended.


# Enable the PFS feature in the IPSec policy shanghai whose sequence number is 200.

<Huawei> system-view
[Huawei] ipsec policy shanghai 200 isakmp
[Huawei-ipsec-policy-isakmp-shanghai-200] pfs dh-group14 

# Enable the PFS feature in the IPSec Efficient VPN policy evpn.

<Huawei> system-view
[Huawei] ipsec efficient-vpn evpn mode client
[Huawei-ipsec-efficient-vpn-evpn] pfs dh-group14
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 88822

Downloads: 121

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next