IPSec IPSec set up
PFS Group
As the previous descriptions, PFS is an option to involve a new
Diffie-Hellman exchange in the calculation of secret session key
during Phase 2. Thus, you have to specify the Diffie-Hellman group
for the new Diffie-Hellman exchange if PFS is enable.
To apply PFS to the Phase 2 key calculation, you just need to select
one of the PFS groups 1, 2, 5, and 14 for Diffie-Hellman group. A
PFS group implies a Diffie-Hellman (DH) group actually, which
determines the strength of the private key material used in the
Diffie-Hellman key exchange process. A higher group number
implies a securer key against private key recover attacks, but
additional processing time for the key calculation is required. To
apply no PFS to the Phase 2 key calculation, just make all the PFS
Group options unchecked.
l
PFS Group 1: Enable PFS with DH Group 1, 768-bit group
l
PFS Group 2: Enable PFS with DH Group 2, 1024-bit group
l
PFS Group 5: Enable PFS with DH Group 5, 1536-bit group
l
PFS Group 14: Enable PFS with DH Group 14, 2048-bit group
196 FortiWAN Handbook
Fortinet Technologies Inc.
To Next Page
Loading...
