With Perfect Forward Secrecy the exposure of one key permits access only to data protected by that key. When PFS is configured, the IKE daemon creates a new ISAKMP SA for each IPSec SA negotiation and performs a Diffie-Hellman exchange for each IPSec SA negotiation.
A key-establishment protocol, used to secure previous VPN communications, should a key currently in use be compromised.
In PFS, the key that is used to protect transmission of data is not used to derive additional keys. Also, the source of the key that is used to protect data transmission is never used to derive additional keys. PFS applies to authenticated key exchange only. See also Diffie-Hellman protocol.