Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
24376
Views
35
Helpful
3
Replies

Do I need to use PFS on ASA VPN's?

Go to solution
whiteford
Level 1
Level 1

‎09-20-2008 03:54 AM

Hi,

I have been setting up a few VPN's to customers on my Cisco ASA, some use the PFS option and some don't.

What is this used for?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-20-2008 07:29 AM

In the first quick mode packet, the initiator sends the identity information, IPSec SA proposal, Nonce payload, and the optional Key Exchange (KE) payload in case Perfect Forward Secrecy (PFS) is used

Perfect Forward Secrecy (PFS) is a cryptographic technique where the newly generated keys are unrelated to any previously generated key. With PFS enabled, the security Cisco ASA generates a new set of keys which is used during the IPSec Phase 2 negotiations. Without PFS, the Cisco ASA uses Phase 1 keys during the Phase 2 negotiations. The Cisco ASA uses Diffie-Hellman group 1, 2, 5, and 7 for PFS to generate the keys. Diffie-Hellman group 1 uses 768-bits modulus size to generate the keys, while group 2 uses 1024-bits and group 5 uses a 1536 bits modulus size. Group 7, where the elliptical curve field size is 163 bits, is designed for the faster computation of keys usually used by the handheld PCs. Group 5 is the most secure technique but requires more processing overhead. The syntax to configure PFS is

crypto map map-name seq-num set pfs {group1 | group2 | group5 | group7}

it is Optional Command

if helpful Rate

View solution in original post

3 Replies 3

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-20-2008 07:29 AM

In the first quick mode packet, the initiator sends the identity information, IPSec SA proposal, Nonce payload, and the optional Key Exchange (KE) payload in case Perfect Forward Secrecy (PFS) is used

Perfect Forward Secrecy (PFS) is a cryptographic technique where the newly generated keys are unrelated to any previously generated key. With PFS enabled, the security Cisco ASA generates a new set of keys which is used during the IPSec Phase 2 negotiations. Without PFS, the Cisco ASA uses Phase 1 keys during the Phase 2 negotiations. The Cisco ASA uses Diffie-Hellman group 1, 2, 5, and 7 for PFS to generate the keys. Diffie-Hellman group 1 uses 768-bits modulus size to generate the keys, while group 2 uses 1024-bits and group 5 uses a 1536 bits modulus size. Group 7, where the elliptical curve field size is 163 bits, is designed for the faster computation of keys usually used by the handheld PCs. Group 5 is the most secure technique but requires more processing overhead. The syntax to configure PFS is

crypto map map-name seq-num set pfs {group1 | group2 | group5 | group7}

it is Optional Command

if helpful Rate

Go to solution
whiteford
Level 1
Level 1
In response to Marwan ALshawi

‎09-20-2008 07:38 AM

Thanks! Optional but sounds more secure, I will use this!

0 Helpful

Go to solution
#Mat
Level 6
Level 6
In response to Marwan ALshawi

‎06-24-2017 10:44 PM

Thanks for the explanation!

.
0 Helpful
Customers Also Viewed These Support Documents