How Do I Disable PFS When Creating a VPN Connection?
The Perfect Forward Secrecy (PFS) function can be disabled for some regions. You are advised to enable PFS in your on-premises data center, because it improves IKE negotiation security in phase 2.
By default, PFS is disabled on some vendors' devices. Check the device configuration manual to ensure that PFS is enabled.
- PFS is a security feature.
IKE negotiation has two phases, phase one and phase two. The key of phase two (IPsec SA) is derived from the key generated in phase one. Once the key in phase one is disclosed, the security of the IPsec VPN may be adversely affected. To improve the key security, IKE provides PFS. After PFS is configured, an additional DH exchange will be performed during IPsec SA negotiation, and a new IPsec SA key will be generated, improving IPsec SA security.
- To ensure security, PFS is enabled on the cloud side by default. Ensure that PFS is also enabled on the on-premises gateway. Otherwise, the negotiation will fail.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
