Perfect forward secrecy (PFS) in IPsec VPNs
PFS guarantees that the encryption keys for IPsec SA negotiations are created separately for each negotiation.
It is possible to configure the IKE SA negotiations to occur less frequently than IPsec SA negotiations to improve performance. However, this arrangement is less secure than renegotiating both phases again, because the IPsec SA negotiations generate encryption keys based on information from the IKE SA negotiations. To improve security, you can activate PFS. When the encryption keys are created separately for each IPsec SA negotiation, a compromised key can only be used to decrypt communications sent before the next IPsec SA negotiation. Otherwise, compromising one key can potentially breach all communications between two IKE SA negotiations, which cover a longer period.