Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
148345
Views
29
Helpful
0
Comments

How to configure PFS with IPSec VPN

TCC_2
Level 10
Level 10

on ‎06-18-2009 03:57 PM

What is PFS?

PFS ensures that the same key will not be generated again, so forces a new diffie-hellman key exchange. This would ensure if a hacker\criminal wants to compromise a private key, he would be able to access data in transit which protected by that key and not any future data, as future data will not be associated with that compromised key.

Both sides of VPN should support PFS in order for PFS to work.Therefore using PFS provides a more secure VPN connection.

Resolution

The crypto map set pfs command sets IPSec to ask for Perfect Forward Secrecy (PFS) when new security associations are requested for this crypto map entry. Alternatively, it asks that IPSec requires PFS when requests are received for new security associations.

To specify that IPSec not request PFS, issue the no crypto map set pfs command. This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.

Note: By default, PFS is not requested.

With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time.

PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key is compromised. During negotiation, the no crypto map set pfs command causes IPSec to request PFS when new security associations are requested for the crypto map entry.

The default (group1) is sent if the set pfs statement does not specify a group. If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation fails.

If the local configuration does not specify a group, a default of group1 is assumed and an offer of either group1 or group2 is accepted. If the local configuration specifies group2, that group must be part of the peer offer or the negotiation fails.

Note: Internet Key Exchange (IKE) negotiations with a remote peer can hang when a PIX Firewall has numerous tunnels that originate from the PIX and terminate on a single remote peer. This problem occurs when PFS is not enabled and the local peer asks for many simultaneous rekey requests. If this problem occurs, the IKE security association does not recover until it has timed out or until the clear [crypto] isakmp sa command is issued to manually clear it. PIX units configured with many tunnels to many peers, or many clients sharing the same tunnel, are not affected by this problem. If the configuration is affected, issue the crypto map mapname seqnum set pfs command to enable PFS.

Product Family

Firewall - PIX 500 series

Routers

VPN - 3000 series concentrator

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents