Set pfs [group1 | group2 – ADTRAN 1000R Series User Manual

Command Reference Guide

Crypto Map IKE Command Set

61200510L1-35E

Copyright © 2005 ADTRAN

1236

set pfs [group1 | group2]

Use the set pfs command to choose the type of perfect forward secrecy (if any) that will be required during
IPSec negotiation of security associations for this crypto map. Use the no form of this command to require
no PFS.

Syntax Description

group1

Requires IPSec to use Diffie-Hellman Group 1 (768-bit modulus) exchange during
IPSec SA key generation.

group2

Requires IPSec to use Diffie-Hellman Group 2 (1024-bit modulus) exchange
during IPSec SA key generation.

Default Values

By default, no PFS will be used during IPSec SA key generation.

Applicable Platforms

This command applies to the NetVanta 300, 1000R, 2000, 3000, 4000, and 5000 and Total Access 900
Series units.

Command History

Release 4.1

Command was introduced.

Functional Notes

If left at the default setting, no perfect forward secrecy (PFS) will be used during IPSec SA key generation.
If PFS is specified, then the specified Diffie-Hellman Group exchange will be used for the initial and all
subsequent key generation, thus providing no data linkage between prior keys and future keys.

Usage Examples

The following example specifies use of the Diffie-Hellman Group 1 exchange during IPSec SA key
generation:

(config-crypto-map)#set pfs group 1