A feature common to IPSec Virtual Private Network implementations throughout the Cisco product line is Perfect Forward Secrecy (PFS). This optional additional component is now a default supplied configuration setting with the Adaptive Security Device Manager (ASDM) IPSec setup wizard, even though it is not a configuration default.
Before we examine the impact of PFS, it is useful to describe what it is. IPSec VPN tunnel establishment consists of two phases of Internet Key Exchange (IKE).
- Phase I of IKE negotiates parameters used to protect the ISAKMP packets
- Phase II negotiates parameters used to protect the ESP payloads containing encrypted user application data packets
As RFC2409 Appendix B describes, when an IPSec Phase II expires, a new initialization vector is created and Quick Mode negotiation ensues.
By default, the Phase I security association lifetime on all Cisco devices is one day, or 86400 seconds as usually seen in a show crypto isakmp sa command. The Phase II lifetime, by contrast, is considerably shorter with a default of 3600 seconds (1 hour) on the Cisco IOS routers and 28800 seconds (8 hours) on the ASA, PIX and VPN concentrator. This implies that there will be at least three Phase II (Quick Mode) exchanges for every one Phase I negotiation. The problem with this approach is that initialization vectors are notoriously weak, and if a cracker were to break the encryption key used during the first eight hours of operation, for example, all subsequent keys would be susceptible.
PFS mitigates this last threat by providing a mechanism to perform Phase I and Phase II negotiations at the expiration of the Phase II lifetime. This option is configurable within the Phase II negotiated parameters and, if implemented, essentially renders the configured (or default) Phase I lifetime meaningless. When added to the configuration, it appears as follows in the crypto map: set pfs group , where the DH-group-# stands for the Diffie-Hellman group number and is 1, 2 or 5.
An interesting result is obtained if the ASA is configured using the IPSec VPN setup wizard to connect to an IOS router. If the router is not configured for PFS, it will successfully negotiate Phase II Quick Mode IKE if the ASA is the initiator; however, if the roles are reversed and the tunnel initiates from the router, it will not propose PFS and Phase II will fail! A good practice, therefore, is to ensure that PFS is configured on both endpoints to ensure bidirectional IPSec VPN initiation.
Author: Doug McKillip
RFC2412 - The OAKLEY Key Determination Protocol