Cisco Support Community

How to configure PFS with IPSec VPN

What is PFS?

PFS ensures that the same key will not be generated again, so forces a new diffie-hellman key exchange. This would ensure if a hacker\criminal wants to compromise a private key, he would be able to access data in transit which protected by that key and not any future data, as future data will not be associated with that compromised key.

Both sides of VPN should support PFS in order for PFS to work.Therefore using PFS provides a more secure VPN connection.


The crypto map set pfs command sets IPSec to ask for Perfect Forward Secrecy (PFS) when new security associations are requested for this crypto map entry. Alternatively, it asks that IPSec requires PFS when requests are received for new security associations.

To specify that IPSec not request PFS, issue the no crypto map set pfs command. This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.

Note: By default, PFS is not requested.

With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time.

PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key is compromised. During negotiation, the no crypto map set pfs command causes IPSec to request PFS when new security associations are requested for the crypto map entry.

The default (group1) is sent if the set pfs statement does not specify a group. If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation fails.

If the local configuration does not specify a group, a default of group1 is assumed and an offer of either group1 or group2 is accepted. If the local configuration specifies group2, that group must be part of the peer offer or the negotiation fails.

Note: Internet Key Exchange (IKE) negotiations with a remote peer can hang when a PIX Firewall has numerous tunnels that originate from the PIX and terminate on a single remote peer. This problem occurs when PFS is not enabled and the local peer asks for many simultaneous rekey requests. If this problem occurs, the IKE security association does not recover until it has timed out or until the clear [crypto] isakmp sa command is issued to manually clear it. PIX units configured with many tunnels to many peers, or many clients sharing the same tunnel, are not affected by this problem. If the configuration is affected, issue the crypto map mapname seqnum set pfs command to enable PFS.

Product Family

Firewall - PIX 500 series


VPN - 3000 series concentrator