cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6405
Views
0
Helpful
3
Replies

Default configuration of PFS on the Cisco ISR

SATORU SAEGUSA
Level 1
Level 1

Hi,

I want to learn about the default configuration of PFS on the Cisco ISR router.


------- An Introduction to IP Security (IPSec) Encryption - Create Crypto Map
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml#cryptomap

You can also modify your PFS configuration here. PFS group1 is the default in this example. You can change the PFS to group2, or turn it off all together, which you should not do.

dt3-45a(config)#crypto map armadillo 10 ipsec-isakmp
dt3-45a(config-crypto-map)#set peer 192.168.10.38
dt3-45a(config-crypto-map)#set session-key lifetime seconds 4000
dt3-45a(config-crypto-map)#set transform-set MamaBear PapaBear BabyBear
dt3-45a(config-crypto-map)#match address 101
--------

This example does not have the PFS configuration, that is PFS is set to group1.
However, the following command reference says that PFS is not requested.
Which is the correct description for the PFS setting?


------- set pfs
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s2.html#wp1063163

Defaults
By default, PFS is not requested. If no group is specified with this command, the group1 keyword is used as the default.
-------

Thank you for your cooperation in advance.

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Command reference is the correct one.

If set pfs is not configured within the crypto map configuration, pfs will not be negotiated.

If set pfs is configured without any group, then it will default to group1

And if you would like to use other group, you would need to set the group# within the set pfs command.

Hope it's clear now.

View solution in original post

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

Command reference is the correct one.

If set pfs is not configured within the crypto map configuration, pfs will not be negotiated.

If set pfs is configured without any group, then it will default to group1

And if you would like to use other group, you would need to set the group# within the set pfs command.

Hope it's clear now.

Halim san, thank you very much for your kind answer.

You are very welcome.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: