10-16-2012 06:21 PM
Hi,
I want to learn about the default configuration of PFS on the Cisco ISR router.
------- An Introduction to IP Security (IPSec) Encryption - Create Crypto Map
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml#cryptomap
You can also modify your PFS configuration here. PFS group1 is the default in this example. You can change the PFS to group2, or turn it off all together, which you should not do.
dt3-45a(config)#crypto map armadillo 10 ipsec-isakmp
dt3-45a(config-crypto-map)#set peer 192.168.10.38
dt3-45a(config-crypto-map)#set session-key lifetime seconds 4000
dt3-45a(config-crypto-map)#set transform-set MamaBear PapaBear BabyBear
dt3-45a(config-crypto-map)#match address 101
--------
This example does not have the PFS configuration, that is PFS is set to group1.
However, the following command reference says that PFS is not requested.
Which is the correct description for the PFS setting?
------- set pfs
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s2.html#wp1063163
Defaults
By default, PFS is not requested. If no group is specified with this command, the group1 keyword is used as the default.
-------
Thank you for your cooperation in advance.
Solved! Go to Solution.
10-16-2012 08:43 PM
Command reference is the correct one.
If set pfs is not configured within the crypto map configuration, pfs will not be negotiated.
If set pfs is configured without any group, then it will default to group1
And if you would like to use other group, you would need to set the group# within the set pfs command.
Hope it's clear now.
10-16-2012 08:43 PM
Command reference is the correct one.
If set pfs is not configured within the crypto map configuration, pfs will not be negotiated.
If set pfs is configured without any group, then it will default to group1
And if you would like to use other group, you would need to set the group# within the set pfs command.
Hope it's clear now.
10-16-2012 09:16 PM
Halim san, thank you very much for your kind answer.
10-16-2012 09:19 PM
You are very welcome.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide