Description | This article describes the feature on IPsec phase 2 configuration Perfect Forward Secrecy (PFS). |
Scope | FortiGate. |
Solution |
PFS enhances security by performing a fresh Diffie-Hellman key exchange each time a Phase 2 Security Association (SA) is established or re-keyed. Without PFS enabled, the key used in Phase 1 SA will be reused. This means that when Phase 1 key of a current session is compromised, an attacker can decrypt all encrypted IPsec traffic for that session.
It is then generally considered a good practice to use PFS to ensure that new keys are negotiated each time a new Phase 2 SA is established or rekeyed.
This mode is enabled by default forcing a new key to be exchanged each time a new Phase 2 SA is rekeyed, unless specifically disabled as per individual requirement.
The configuration is available on both GUI and CLI.
CLI:
FGT # config vpn ipsec phase2-interface edit "IPsecVPN" set pfs enable <----- default value
Related articles: Technical Tip: Understanding Diffie-Hellman Groups and IKEv1 vs IKEv2 in FortiGate VPNs |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.