This setting specifies whether perfect forward secrecy (PFS) is
used when negotiating the security association, and if so, which Diffie-Hellman
group is used. The default setting is **None**. If PFS is used,
each phase 2 key is derived independently through a separate Diffie-Hellman
exchange. With PFS, if a single key is compromised, the integrity
of subsequently generated keys is not affected.

- Select
**None**if you do not want to use perfect forward secrecy. - Select
**Group 1**to use a modular exponentiation group with a 768-bit modulus. Do not use**Group 1**when the stack is configured for FIPS 140 mode. - Select
**Group 2**to use a modular exponentiation group with a 1024-bit modulus. Do not use**Group 2**when the stack is configured for FIPS 140 mode. - Select
**Group 5**to use a modular exponentiation group with a 1536-bit modulus. Do not use**Group 5**when the stack is configured for FIPS 140 mode. - Select
**Group 14**to use a modular exponentiation group with a 2048-bit modulus. - Select
**Group 19**to use a random 256-bit elliptic curve group. - Select
**Group 20**to use a random 384-bit elliptic curve group. - Select
**Group 21**to use a random 521-bit elliptic curve group. - Select
**Group 24**to use a modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup.

- If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 5, 14, 19, 20 or 24.
- If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21.

**Rule:**This security level cannot be used in a stack configured
for FIPS 140 if the following groups are selected:

Group 1

Group 2

Group 5