VPN Screens 13-27Contivity 221 VPN Switch User’s Guide13.13.3 Diffie-Hellman (DH) Key GroupsDiffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish ashared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SAsetup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peershave a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys.13.13.4 Perfect Forward Secrecy (PFS)Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand newkey using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS enabled, if onekey is compromised, previous and subsequent keys are not compromised, because subsequent keysare not derived from previous keys. The (time-consuming) Diffie-Hellman exchange is the trade-off for this extra security.This may be unnecessary for data that does not require such security, so PFS is disabled (None) bydefault in the Contivity 221. Disabling PFS means new authentication and encryption keys arederived from the same root secret (which may have security implications in the long run) butallows faster SA setup (by bypassing the Diffie-Hellman key exchange).13.14 Configuring Advanced Branch Office SetupSelect one of the VPN rules in the VPN Summary screen and click Edit to configure the rule’ssettings. The basic IKE rule setup screen opensIn the VPN Branch Office Rule Setup screen, click the Advanced button to display the VPNBranch Office Advanced Rule Setup screen.