Section 35.3.7, Section 35.3.8 – Westermo RedFox Series User Manual
Page 823
Westermo OS Management Guide
Version 4.17.0-0
Default values Disabled (”no aggressive”, i.e., main mode is use by default.)
35.3.7
Enable/disable Perfect Forward Secrecy
Syntax [no] pfs
Context
context
Usage Enable or disable Perfect Forward Secrecy for this IPsec tunnel. Protects
previous key exchanges even if the current one is compromised.
Note
This setting is not supported by all IPsec implementations. It is however
recommended to have it enabled, on both sides of the connection.
If you are unsure what do to, you can safely disable PFS. If the IPsec daemon
receives a request with PFS, it will allow it despite how your having disabled
it here, because there is absolutely no reason not to use PFS if it is available.
Use ”pfs” to enable and ”no pfs” to disable perfect forward secrecy.
Use ”show pfs” to show whether perfect forward secrecy is enabled or dis-
abled for this tunnel.
Default values Enabled (”pfs”)
35.3.8
Configure allowed crypto algorithms for IKE phase-1
Syntax [no] ike crypto <3des|aes128|...> auth
Context
context
Usage Set IKE phase-1 handshake. Configure what security suite to use to pro-
tect the IKE authentication handshake. Here the security suite consists of
three parameters:
❼ Encryption algorithm: Supported encryption algorithms are 3des, aes128,
aes192 and aes256.
❼ Message authentication/integrity: Supported hash algorithms for mes-
sage authentication are md5, and sha1.
➞ 2015 Westermo Teleindustri AB
823