12-29-2008 12:04 AM - edited 03-11-2019 07:30 AM
Can anyone explains the exact meaning of Perfect Forward Secracy in simple terms and detailed manner
12-29-2008 07:52 AM
Have a look at this link, it will help you understand basics of IP Security
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
I quote from above link!
Perfect Forward Secrecy (PFS)-PFS ensures that a given IPsec SA key was not derived from any other secret, like some other keys. In other words, if someone breaks a key, PFS ensures that the attacker is not able to derive any other key. If PFS is not enabled, someone can potentially break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA secret in order to compromise the IPsec SAs setup by this IKE SA. With PFS, breaking IKE does not give an attacker immediate access to IPsec. The attacker needs to break each IPsec SA individually. The Cisco IOS IPsec implementation uses PFS group 1 (D-H 768 bit) by default.
Also reference this thread's answer well put together.
Regards
Rate any helpful posts
12-29-2008 08:05 AM
I have an issue with this statement "The Cisco IOS IPsec implementation uses PFS group 1 (D-H 768 bit) by default."
Does it mean that when I have a site-2-site
VPN between a Cisco IOS router and a Checkpoint
Firewall, PFS group 1, by default, is enable
on the Cisco's side?
If this is true, if I disable PFS on the
Checkpoint's side, in theory, the VPN tunnel
will fail right?
I find that the oposite is true. In other words, if I disable PFS on the checkpoint's
side, then the VPN tunnel will work; if I
enable PFS on the Checkpoint's side, VPN
tunnel will fail, unless I explicitly perform
"pfs group1" on the Cisco to get the VPN
working.
Am I missing something?
12-29-2008 09:56 AM
Hi David, I believe what it means when you enable pfs and don't specify which DH group be used when setting PFS type in Ipsec policy it defaults to DH group 1 768bit
router-3640(config)#crypto map mymap 21
router-3640(config)#crypto map mymap 21
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
router-364(config-crypto-map)#
router-364(config-crypto-map)#set ?
identity Identity restriction.
isakmp-profile Specify isakmp Profile
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
security-association Security association parameters
transform-set Specify list of transform sets in priority order
router-364(config-crypto-map)#set pf
router-364(config-crypto-map)#set pfs ?
group1 D-H Group1 (768-bit modp)
group2 D-H Group2 (1024-bit modp)
group5 D-H Group5 (1536-bit modp)
router-364(config-crypto-map)#set pfs
router-364(config-crypto-map)#
router-364(config-crypto-map)#set pfs <- Pressed ENTER alone
show run
crypto ipsec transform-set test esp-des esp-md5-hmac
!
crypto map mymap 21 ipsec-isakmp
! Incomplete
set pfs group1
If this is true, if I disable PFS on the
Checkpoint's side, in theory, the VPN tunnel
will fail right?
I agree with you on this one, If you have PFS enable in one end and not the other end tunnel will not form becuse policy will not match.
12-29-2008 04:26 PM
OK Thanks
Will that mean that in case of PFS IPSec SA will use its own keys(not derived from IKE SA Keys) OR PFS will just protect the IPSec keys from getting broken though the IPSec keys are derived from IKE SA keys
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide