Home Page


Email & Spam

Security Terminology

Security Topics

VPN & Cryptography





VPN Terminology

VPN Tutorial Guide



Aggressive Mode

Authentication Header

Asymmetric Encryption


Certification Authority

Data Integrity



Digital Certificate

Dynamic IP addresses





IPSec Quick Mode


Main Mode







Pre-Shared Key

Remote Access User


Security Association


Site to Site VPN


Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel


Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?


What is Guide

What is a Firewall?

What is a Virus?

What is Spam?


Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security



Top 8 Internet Security tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?



PFS - VPN Tutorial



PFS (Perfect Forward Secrecy)

PFS will ensure the same key will not be generated again, so forcing a new diffie-hellman key exchange. This would ensure if a hacker\criminal was to compromise a private key, they would only be able to access data in transit protected by that key and not any future data, as future data would not be associated with that compromised key.

Both sides of the VPN must be able to support PFS in order for PFS to work. When PFS is turned on, for every negotiation of a new phase 2 SA the two gateways must generate a new set of phase 1 keys. This is an extra layer of protection that PFS adds, which ensures if the phase 2 SA’s have expired, the keys used for new phase 2 SA’s have not been generated from the current phase 1 keying material. Of course if PFS is not turned on then the current keying material already established at phase 1 will be used again to generate phase 2 SA’s.

Therefore using PFS provides a more secure VPN connection. Although using PFS does have its drawback. It will require more processing power, and take slightly longer for phase 1 and 2 to complete. PFS in general is known as a session key. A session key is a key just created for a particular session, and when the session is bought down, the key is destroyed and not used again. Next time a session is initiated a new and completely different session key is created.

You don't have to use PFS if you don't want to, just leave it disabled. However if you are protecting very sensitive data then maybe it should be enabled. It depends on your requirements and security policies. It depends on how sensitive your data is and how often you would like to renew these keys. What is the worst that could happen if a criminal did get their hands on this sensitive data? This should give you a good indication to whether you should have it enabled and for how long each key is renewed or disabled. Just remember having it enabled and renewing keys more often will have a little performance impact but provide further security.

So in a nutshell leaving PFS on will improve security forcing a new key exchange. It does this every so often depending on the configured time settings.

Further Reading

Wikipedia's guide to PFS (Perfect Forward Secrecy)