Cisco MDS 9000 Series Configuration Manual page 214

About Perfect Forward Secrecy
About Perfect Forward Secrecy
To specify SA lifetime negotiation values, you can also optionally configure the perfect forward secrecy (PFS)
value in the crypto map.
The PFS feature is disabled by default. If you set the PFS group, you can set one of the DH groups: 1, 2, 5,
or 14. If you do not specify a DH group, the software uses group 1 by default.
Configuring Perfect Forward Secrecy
To configure the PFS value, follow these steps:
Procedure
Step 1
switch# configure terminal
switch(config)#
Enters configuration mode.
Step 2 switch(config)# crypto map domain ipsec SampleMap 31
ips-hac1(config-crypto-map-ip)#
Places you in the crypto map configuration mode for the entry named SampleMap with 31 as its sequence
number.
Step 3 switch(config-crypto-map-ip)# set pfs group 2
Specifies that IPsec should ask for PFS when requesting new SAs for this crypto map entry, or should demand
PFS in requests received from the IPsec peer.
Step 4
switch(config-crypto-map-ip)# no set pfs
(Optional) Deletes the configured DH group and reverts to the factory default of disabling PFS.
About Crypto Map Set Interface Application
You need to apply a crypto map set to each interface through which IPsec traffic will flow. Applying the
crypto map set to an interface instructs the switch to evaluate all the interface's traffic against the crypto map
set and to use the specified policy during connection or SA negotiation on behalf of the traffic to be protected
by crypto.
You can apply only one crypto map set to an interface. You can apply the same crypto map to multiple
interfaces. However, you cannot apply more than one crypto map set to each interface.
Applying a Crypto Map Set
To apply a crypto map set to an interface, follow these steps:
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
196
Configuring IPSec Network Security