Saturday, October 1, 2016

What is the use of PFS(Perfect Forward Secrecy) in IPSEC tunnel and how to enable it on the Aruba controller ?

How to check PFS is enabeld or disabled:
 
(Aruba7210) #show crypto-local ipsec-map
 
Crypto Map Template"test" 100
         IKE Version: 1
         IKEv1 Policy: All
         Security association lifetime seconds : [300 -86400]
         Security association lifetime kilobytes: N/A
         PFS (Y/N): N                                                                        <-- disabled="" here="" is="" pfs="" span="">
         Transform sets={ default-transform }
         Peer gateway: 0.0.0.0
         Interface: VLAN 0
         Source network: 0.0.0.0/0.0.0.0
         Destination network: 0.0.0.0/0.0.0.0
         Pre-Connect (Y/N): N
         Tunnel Trusted (Y/N): N
         Forced NAT-T (Y/N): N
 
How to enable PFS for IPSEC tunnel:
 
(Aruba7210) #configure terminal
(Aruba7210) (config) #crypto-local  ipsec-map test 100
(Aruba7210) (config-ipsec-map)#  set pfs
 
Note: If we decide to enable PFS(As a additional Security for IPSEC tunnel), then we need to enable it on both the end(Initiator and Responder).
 
 
 

No comments:

Man in the Rain