Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

perfect-forward-secrecy

vpn interface ipsec ipsec perfect-forward-secrecy—Configure the perfect forward secrecy (PFS) settings to use on an IPsec tunnel that is being used for IKE key exchange (on vEdge routers only). PFS ensures that past sessions are not affected if future keys are compromised

vManage Feature Template

For vEdge routers only:

Configuration ► Templates ► VPN Interface IPsec

Command Hierarchy

vpn vpn-id
  interface ipsecnumber
    ipsec
      perfect-forward-secrecy pfs-setting

Options

PFS Setting for IPsec Tunnel
pfs-setting
Type of PFS to use on an IPsec tunnel that is being used for IKE key exchange. It can be one of the following:
group-2—Use the 1024-bit Diffie-Hellman prime modulus group.
group-14—Use the 2048-bit Diffie-Hellman prime modulus group.
group-15—Use the 3072-bit Diffie-Hellman prime modulus group.
group-16—Use the 4096-bit Diffie-Hellman prime modulus group.
none—Disable PFS.
Default: group-16

Example

Have the IPsec tunnel use the 2048-bit modulus group:

vEdge(config)# vpn 1 interface ipsec1 ipsec
vEdge(config-ike)# perfect-forward-secrecy group-14

For a Microsoft Azure end point that does not support PFS, disable PFS on an IPsec tunnel:

vEdge(config)# vpn 1 interface ipsec1 ipsec
vEdge(config-ipsec)# perfect-forward-secrecy none

Release Information

Command introduced in Viptela Software Release 17.2.​3.

Additional Information

See the Configuring IKE article for your software release.

  • Was this article helpful?