This setting specifies whether perfect forward secrecy (PFS) is
used when negotiating the security association, and if so, which Diffie-Hellman
group is used. The default setting is None. If PFS is used,
each phase 2 key is derived independently through a separate Diffie-Hellman
exchange. With PFS, if a single key is compromised, the integrity
of subsequently generated keys is not affected.
- Select None if you do not want to use perfect forward secrecy.
- Select Group 1 to use a modular exponentiation group with
a 768-bit modulus. Do not use Group 1 when the stack is configured
for FIPS 140 mode.
- Select Group 2 to use a modular exponentiation group with
a 1024-bit modulus. Do not use Group 2 when the stack is configured
for FIPS 140 mode.
- Select Group 5 to use a modular exponentiation group with
a 1536-bit modulus. Do not use Group 5 when the stack is configured
for FIPS 140 mode.
- Select Group 14 to use a modular exponentiation group with
a 2048-bit modulus.
- Select Group 19 to use a random 256-bit elliptic curve
group.
- Select Group 20 to use a random 384-bit elliptic curve
group.
- Select Group 21 to use a random 521-bit elliptic curve
group.
- Select Group 24 to use a modular exponentiation group with
a 2048-bit modulus and 256-bit prime order subgroup.
Guidelines:
- If you are using encryption or authentication algorithms with
a 128-bit key, use Diffie-Hellman groups 5, 14, 19, 20 or 24.
- If you are using encryption or authentication algorithms with
a 256-bit key or higher, use Diffie-Hellman group 21.
Rule:This security level cannot be used in a stack configured
for FIPS 140 if the following groups are selected:
Group 1
Group 2
Group 5