Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN site to site with Diffie-Hellman Group

Hello Guys,

I currently have a VPN site to site setup between my ASA and cisco router without Perfect Forward Secrecy enabled (no Diffie-Hellman Group) and I also have another the VPN site to site setup between my ASA  and cisco router with Perfect Fprward Secrecy enabled and Diffie-Hellman Group (group 5). Both setups are working fine so far since they've been up for few weeks. My question are:

    What do Perfect Fprward Secrecy enabled and Diffie-Hellman Group really do in the VPN?

    What if I don't have Perfect Fprward Secrecy enabled and Diffie-Hellman Group setup, will it affect my VPN performance?

Thanks.


1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: VPN site to site with Diffie-Hellman Group

Hi,

Perfect Forward Secrecy (PFS)—PFS ensures that a given IPsec SA key was not derived from any other secret, like some other keys. In other words, if someone breaks a key, PFS ensures that the attacker is not able to derive any other key. If PFS is not enabled, someone can potentially break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA secret in order to compromise the IPsec SAs setup by this IKE SA. With PFS, breaking IKE does not give an attacker immediate access to IPsec. The attacker needs to break each IPsec SA individually. The Cisco IOS IPsec implementation uses PFS group 1 (D-H 768 bit) by default.

Depends on how much is your VPN used, but basically it will not affect your VPN performance in regards of few connections.

But on the other side it means "Each Diffie-Hellman exchange requires large exponentiations, thereby increasing CPU use and exacting a performance cost"

Best Regards,

Jan

2 REPLIES
Bronze

Re: VPN site to site with Diffie-Hellman Group

Hi,

Perfect Forward Secrecy (PFS)—PFS ensures that a given IPsec SA key was not derived from any other secret, like some other keys. In other words, if someone breaks a key, PFS ensures that the attacker is not able to derive any other key. If PFS is not enabled, someone can potentially break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA secret in order to compromise the IPsec SAs setup by this IKE SA. With PFS, breaking IKE does not give an attacker immediate access to IPsec. The attacker needs to break each IPsec SA individually. The Cisco IOS IPsec implementation uses PFS group 1 (D-H 768 bit) by default.

Depends on how much is your VPN used, but basically it will not affect your VPN performance in regards of few connections.

But on the other side it means "Each Diffie-Hellman exchange requires large exponentiations, thereby increasing CPU use and exacting a performance cost"

Best Regards,

Jan

New Member

VPN site to site with Diffie-Hellman Group

Thanks for the useful information.

1328
Views
5
Helpful
2
Replies
CreatePlease to create content