Use pfs to enable the Perfect Forward Secrecy (PFS) feature for an IPsec transform set.

Use undo pfs to restore the default.


In non-FIPS mode:

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 | dh-group19 | dh-group20 }

undo pfs

In FIPS mode:

pfs { dh-group14 | dh-group19 | dh-group20 }

undo pfs


The PFS feature is disabled for the IPsec transform set.


IPsec transform set view

Predefined user roles




dh-group1: Uses 768-bit Diffie-Hellman group.

dh-group2: Uses 1024-bit Diffie-Hellman group.

dh-group5: Uses 1536-bit Diffie-Hellman group.

dh-group14: Uses 2048-bit Diffie-Hellman group.

dh-group24: Uses 2048-bit and 256-bit subgroup Diffie-Hellman group.

dh-group19: Uses 256-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.

dh-group20: Uses 384-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.

Usage guidelines

In terms of security and required calculation time, the following groups are in descending order: 384-bit ECP Diffie-Hellman group (dh-group20), 256-bit ECP Diffie-Hellman group (dh-group19), 2048-bit and 256-bit subgroup Diffie-Hellman group (dh-group24), 2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group (dh-group2), and 768-bit Diffie-Hellman group (dh-group1).

If IKEv1 is used, the security level of the Diffie-Hellman group of the initiator must be higher than or equal to that of the responder. This restriction does not apply to IKEv2.

The end without the PFS feature performs IKE negotiation according to the PFS requirements of the peer end.


# Enable PFS using 2048-bit Diffie-Hellman group for IPsec transform set tran1.

<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] pfs dh-group14