Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2405
Views
5
Helpful
2
Replies

VPN site to site with Diffie-Hellman Group

Go to solution
tinhnho123
Level 2
Level 2

‎08-08-2013 01:03 PM

Hello Guys,

I currently have a VPN site to site setup between my ASA and cisco router without Perfect Forward Secrecy enabled (no Diffie-Hellman Group) and I also have another the VPN site to site setup between my ASA  and cisco router with Perfect Fprward Secrecy enabled and Diffie-Hellman Group (group 5). Both setups are working fine so far since they've been up for few weeks. My question are:

    What do Perfect Fprward Secrecy enabled and Diffie-Hellman Group really do in the VPN?

    What if I don't have Perfect Fprward Secrecy enabled and Diffie-Hellman Group setup, will it affect my VPN performance?

Thanks.


Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jan Rolny
Level 3
Level 3

‎08-08-2013 01:24 PM

Hi,

Perfect Forward Secrecy (PFS)—PFS ensures that a given IPsec SA key was not derived from any other secret, like some other keys. In other words, if someone breaks a key, PFS ensures that the attacker is not able to derive any other key. If PFS is not enabled, someone can potentially break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA secret in order to compromise the IPsec SAs setup by this IKE SA. With PFS, breaking IKE does not give an attacker immediate access to IPsec. The attacker needs to break each IPsec SA individually. The Cisco IOS IPsec implementation uses PFS group 1 (D-H 768 bit) by default.

Depends on how much is your VPN used, but basically it will not affect your VPN performance in regards of few connections.

But on the other side it means "Each Diffie-Hellman exchange requires large exponentiations, thereby increasing CPU use and exacting a performance cost"

Best Regards,

Jan

View solution in original post

2 Replies 2

Go to solution
Jan Rolny
Level 3
Level 3

‎08-08-2013 01:24 PM

Hi,

Perfect Forward Secrecy (PFS)—PFS ensures that a given IPsec SA key was not derived from any other secret, like some other keys. In other words, if someone breaks a key, PFS ensures that the attacker is not able to derive any other key. If PFS is not enabled, someone can potentially break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA secret in order to compromise the IPsec SAs setup by this IKE SA. With PFS, breaking IKE does not give an attacker immediate access to IPsec. The attacker needs to break each IPsec SA individually. The Cisco IOS IPsec implementation uses PFS group 1 (D-H 768 bit) by default.

Depends on how much is your VPN used, but basically it will not affect your VPN performance in regards of few connections.

But on the other side it means "Each Diffie-Hellman exchange requires large exponentiations, thereby increasing CPU use and exacting a performance cost"

Best Regards,

Jan

Go to solution
tinhnho123
Level 2
Level 2
In response to Jan Rolny

‎08-09-2013 06:23 AM

Thanks for the useful information.

0 Helpful
Customers Also Viewed These Support Documents