Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

security vpn ipsec esp-group <name> pfs <pfs>

Specifies whether or not Perfect Forward Secrecy (PFS) is used.

set security vpn ipsec esp-group name pfs pfs
delete security vpn ipsec esp-group name pfs
show security vpn ipsec esp-group name pfs

PFS is enabled and uses the Diffie-Hellman group defined in the ike-group.

name
The name to be used to refer to the ESP configuration.
pfs
Enables or disables Perfect Forward Secrecy. Supported values are as follows:

enable—Enables PFS using Diffie-Hellman group defined in the ike-group.

dh-group2—Enables PFS using Diffie-Hellman group 2.

dh-group5—Enables PFS using Diffie-Hellman group 5.

dh-group14—Enables PFS using Diffie-Hellman group 14.

dh-group15—Enables PFS using Diffie-Hellman group 15.

dh-group16—Enables PFS using Diffie-Hellman group 16.

dh-group17—Enables PFS using Diffie-Hellman group 17.

dh-group18—Enables PFS using Diffie-Hellman group 18.

dh-group19—Enables PFS using Diffie-Hellman group 19.

dh-group20—Enables PFS using Diffie-Hellman group 20.

disable—Disables PFS.

Configuration mode

security {
        vpn {
            ipsec {
                esp-group name {
                            pfs pfs
            }
        }
    }
}

Use this command to specify whether or not PFS will be used and, if used, which Diffie-Hellman group is to be used.

Note: Regardless of the setting of this parameter, if the far-end VPN peer requests PFS, the vRouter will use PFS.
Note: If PFS or a Diffie-Hellman group is not configured for ESP, the default is to use the same Diffie-Hellman group that is used for the configured IKE proposal.

Use the set form of this command to specify whether or not PFS will be used.

Use the delete form of this command to restore default PFS configuration.

Use the show form of this command to view PFS configuration.