Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Do I need to use PFS on ASA VPN's?

Hi,

I have been setting up a few VPN's to customers on my Cisco ASA, some use the PFS option and some don't.

What is this used for?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Do I need to use PFS on ASA VPN's?

In the first quick mode packet, the initiator sends the identity information, IPSec SA proposal, Nonce payload, and the optional Key Exchange (KE) payload in case Perfect Forward Secrecy (PFS) is used

Perfect Forward Secrecy (PFS) is a cryptographic technique where the newly generated keys are unrelated to any previously generated key. With PFS enabled, the security Cisco ASA generates a new set of keys which is used during the IPSec Phase 2 negotiations. Without PFS, the Cisco ASA uses Phase 1 keys during the Phase 2 negotiations. The Cisco ASA uses Diffie-Hellman group 1, 2, 5, and 7 for PFS to generate the keys. Diffie-Hellman group 1 uses 768-bits modulus size to generate the keys, while group 2 uses 1024-bits and group 5 uses a 1536 bits modulus size. Group 7, where the elliptical curve field size is 163 bits, is designed for the faster computation of keys usually used by the handheld PCs. Group 5 is the most secure technique but requires more processing overhead. The syntax to configure PFS is

crypto map map-name seq-num set pfs {group1 | group2 | group5 | group7}

it is Optional Command

if helpful Rate

3 REPLIES

Re: Do I need to use PFS on ASA VPN's?

In the first quick mode packet, the initiator sends the identity information, IPSec SA proposal, Nonce payload, and the optional Key Exchange (KE) payload in case Perfect Forward Secrecy (PFS) is used

Perfect Forward Secrecy (PFS) is a cryptographic technique where the newly generated keys are unrelated to any previously generated key. With PFS enabled, the security Cisco ASA generates a new set of keys which is used during the IPSec Phase 2 negotiations. Without PFS, the Cisco ASA uses Phase 1 keys during the Phase 2 negotiations. The Cisco ASA uses Diffie-Hellman group 1, 2, 5, and 7 for PFS to generate the keys. Diffie-Hellman group 1 uses 768-bits modulus size to generate the keys, while group 2 uses 1024-bits and group 5 uses a 1536 bits modulus size. Group 7, where the elliptical curve field size is 163 bits, is designed for the faster computation of keys usually used by the handheld PCs. Group 5 is the most secure technique but requires more processing overhead. The syntax to configure PFS is

crypto map map-name seq-num set pfs {group1 | group2 | group5 | group7}

it is Optional Command

if helpful Rate

New Member

Re: Do I need to use PFS on ASA VPN's?

Thanks! Optional but sounds more secure, I will use this!

New Member

Thanks for the explanation!

Thanks for the explanation!

7394
Views
15
Helpful
3
Replies
CreatePlease to create content