| Description | This article describes the feature on IPsec phase 2 configuration Perfect Forward Secrecy (PFS). |
| Scope | FortiGate. |
| Solution |
PFS enhances security by performing a fresh Diffie-Hellman key exchange each time a Phase 2 Security Association (SA) is established or re-keyed. Without PFS enabled, the key used in Phase 1 SA will be reused. This means that when Phase 1 key of a current session is compromised, an attacker can decrypt all encrypted IPsec traffic for that session.
It is then generally considered a good practice to use PFS to ensure that new keys are negotiated each time a new Phase 2 SA is established or rekeyed.
This mode is enabled by default forcing a new key to be exchanged each time a new Phase 2 SA is rekeyed, unless specifically disabled as per individual requirement.
The configuration is available on both GUI and CLI.
CLI:
FGT # config vpn ipsec phase2-interface edit "IPsecVPN" set pfs enable <----- default value
Related articles: Technical Tip: Understanding Diffie-Hellman Groups and IKEv1 vs IKEv2 in FortiGate VPNs |
