FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jaye17
Staff
Staff
Article Id 405554
Description This article describes the feature on IPsec phase 2 configuration Perfect Forward Secrecy (PFS).
Scope FortiGate.
Solution

PFS enhances security by performing a fresh Diffie-Hellman key exchange each time a Phase 2 Security Association (SA) is established or re-keyed. Without PFS enabled, the key used in Phase 1 SA will be reused. This means that when Phase 1 key of a current session is compromised, an attacker can decrypt all encrypted IPsec traffic for that session.

 

It is then generally considered a good practice to use PFS to ensure that new keys are negotiated each time a new Phase 2 SA is established or rekeyed. 

 

This mode is enabled by default forcing a new key to be exchanged each time a new Phase 2 SA is rekeyed, unless specifically disabled as per individual requirement. 

 

The configuration is available on both GUI and CLI. 

 

PFS GUI.png

 

CLI:

 

FGT # config vpn ipsec phase2-interface

    edit "IPsecVPN"
        set phase1name "IPsecVPN"
        set proposal aes256-sha256

        set pfs enable       <----- default value
        set dhgrp 20
    next

 

Related articles:

Troubleshooting Tip: IPsec phase2 not coming up with 'did not expect PFS DH group' error in IKE debu... 

Technical Tip: Understanding Diffie-Hellman Groups and IKEv1 vs IKEv2 in FortiGate VPNs

Contributors