Skip to main content
Cisco SD-WAN
Product Documentation
Viptela Documentation


vpn interface ipsec ipsec perfect-forward-secrecy—Configure the perfect forward secrecy (PFS) settings to use on an IPsec tunnel that is being used for IKE key exchange (on vEdge routers only). PFS ensures that past sessions are not affected if future keys are compromised

vManage Feature Template

For vEdge routers only:

Configuration ► Templates ► VPN Interface IPsec

Command Hierarchy

vpn vpn-id
  interface ipsecnumber
      perfect-forward-secrecy pfs-setting


PFS Setting for IPsec Tunnel
Type of PFS to use on an IPsec tunnel that is being used for IKE key exchange. It can be one of the following:
group-2—Use the 1024-bit Diffie-Hellman prime modulus group.
group-14—Use the 2048-bit Diffie-Hellman prime modulus group.
group-15—Use the 3072-bit Diffie-Hellman prime modulus group.
group-16—Use the 4096-bit Diffie-Hellman prime modulus group.
none—Disable PFS.
Default: group-16


Have the IPsec tunnel use the 2048-bit modulus group:

vEdge(config)# vpn 1 interface ipsec1 ipsec
vEdge(config-ike)# perfect-forward-secrecy group-14

For a Microsoft Azure end point that does not support PFS, disable PFS on an IPsec tunnel:

vEdge(config)# vpn 1 interface ipsec1 ipsec
vEdge(config-ipsec)# perfect-forward-secrecy none

Release Information

Command introduced in Viptela Software Release 17.2.​3.

Additional Information

See the Configuring IKE article for your software release.

  • Was this article helpful?