Chapter 6 IP security and VPN 169Using the BayStack Instant Internet Management Software Version 7.11Contivity version 2.6 has also implemented aggressive mode fornon-contivity clients, in order to support more client implementations. InstantInternet leverages this new capability to act as a single-user client on behalf ofthe network (many-to-one NAT).Using perfect forward secrecyPerfect forward secrecy (PFS) means that the compromise of a single key onlypermits access to data protected by that key. PFS has been added primarily foreasy compatibility with Contivity.The PFS setting between the Instant Internet unit and the Contivity CES mustmatch. The Instant Internet unit responds to a phase 2 key exchange performedby the destination regardless of this setting. Note that PFS also incurs significantadditional computational overhead that you may want to avoid unless youunderstand the security implications and PFS is required.The default setting for PFS depends on whether you add an IPsec to tunnel toanother Instant Internet or Contivity. The default when connecting to anotherInstant Internet unit is off. The default when connecting to Contivity is on.To enable PFS:1 Start Setup, and if prompted, select a unit to configure.2 In the Interfaces area, select the IPsec interface for which you want to modifythe PFS.3 Click Configure.The IPsec Configuration dialog box opens (Figure 85).