Group 2—1024 bits (the default) Group 19— 256-bit elliptic curve group Group 20—384-bit elliptic curve group no-pfs—By default, perfect forward secrecy (PFS) is enabled,
which means a new DH key is generated in IKE phase 2 using one of
the groups listed above. This key is independent of the keys exchanged
in IKE phase1 and provides better data transfer security. If you
select no-pfs, the DH key created at phase 1 is not renewed and
a single key is used for the IPSec SA negotiations. Both VPN peers
must be enabled or disabled for PFS.
|