From: Venkatesh Palani (kvpalani@gmail.com)
Date: Tue Mar 07 2006 - 19:11:17 GMT-3
HI Don,
did you try this link ?
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecu
r_r/fipsencr/srfipsec.htm#xtocid11
from the site ...to make life easier...
set pfs
To specify that IP Security should ask for perfect forward secrecy (PFS)
when requesting new security associations for this crypto map entry, or that
IPSec requires PFS when receiving requests for new security associations,
use the *set pfs *crypto map configuration command. To specify that IPSec
should not request PFS, use the *no* form of the command.
*set pfs* [*group1* | *group2*]
*no set pfs*
*Syntax Description
group1
(Optional) Specifies that IPSec should use the 768-bit Diffie-Hellman prime
modulus group when performing the new Diffie-Hellman exchange.
group2
(Optional) Specifies that IPSec should use the 1024-bit Diffie-Hellman prime
modulus group when performing the new Diffie-Hellman exchange.
*
*Defaults *
By default, PFS is not requested. If no group is specified with this
command, *group1* is used as the default.
*Command Modes *
Crypto map configuration
*Command History Release Modification
11.3 T
This command was introduced.
*
*Usage Guidelines *
This command is only available for *ipsec-isakmp* crypto map entries and
dynamic crypto map entries.
During negotiation, this command causes IPSec to request PFS when requesting
new security associations for the crypto map entry. The default (*group1*)
is sent if the *set pfs* statement does not specify a group. If the peer
initiates the negotiation and the local configuration specifies PFS, the
remote peer must perform a PFS exchange or the negotiation will fail. If the
local configuration does not specify a group, a default of *group1* will be
assumed, and an offer of either *group1* or *group2* will be accepted. If
the local configuration specifies *group2*, that group *must* be part of the
peer's offer or the negotiation will fail. If the local configuration does
not specify PFS it will accept any offer of PFS from the peer.
PFS adds another level of security because if one key is ever cracked by an
attacker then only the data sent with that key will be compromised. Without
PFS, data sent with other keys could be also compromised.
With PFS, every time a new security association is negotiated, a new
Diffie-Hellman exchange occurs. (This exchange requires additional
processing time.)
The 1024-bit Diffie-Hellman prime modulus group, *group2*, provides more
security than *group1*, but requires more processing time than *group1*.
*Examples *
The following example specifies that PFS should be used whenever a new
security association is negotiated for the crypto map "mymap 10":
crypto map mymap 10 ipsec-isakmp
set pfs group2
On 3/8/06, ccieim@comcast.net <ccieim@comcast.net> wrote:
>
> Hi group,
> Can anyone out there explain for me what set pfs groupx command do? I
> search the cisco site but the doc only show how to use it but does not
> mention what is it for?
> Thanks,
> Don
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:38 GMT-3