Specify that IPSec should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or should require PFS in requests received from the peer:
crypto map map-name seq-num set pfs [group1 | group2] For example: crypto map mymap 10 set pfs group2 This example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10." The 1024-bit Diffie-Hellman prime modulus group will be used when a new security association is negotiated using the Diffie-Hellman exchange. -----Original Message----- From: Chontzopoulos Dimitris [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 22, 2003 12:24 PM To: [EMAIL PROTECTED] Subject: [FW-1] CiSCO Commands for "Use Perfect Forward Secrecy" Hello gurus of the list, This may be an Off-Topic so I apologize. I just have a quick question. Is there a way to create a VPN tunnel between a CP VPN-1 v4.1 SP3 and with a CiSCO Router by *enabling* "Use perfect Forward Secrecy" of the Firewall? I have established a VPN tunnel, but I really don't know if there are appropriate commands for the CiSCO Router to support this feature. Below are the commands I used on the CiSCO side: Access-list 101 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx Access-list 101 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx Crypto isakmp policy 10 authentication pre-share encryption des hash md5 group 2 Crypto isakmp key abcdefghij address xxx.xxx.xxx.xxx Crypro ipsec transform-set testset esp-des esp-md5-hmac Crypto map testmap 10 ipsec-isakmp set peer xxx.xxx.xxx.xxx set transform-set testset match address 101 Interface Ethernet 0 Crypto map testmap Cheers, Dimitris. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
