Could some one explain me the basic concept of PFS (Perfect Forward Secrecy)?
I do have some VPN's configured in my router with no PFS. What is the extra security feature that PFS provide?
Thanks in advance,
During the initial IKE Phase 1 negotiation, public DH key values are exchanged to derive the shared secret DH value. These public and private DH values are used to generate the session key used to encrypt the 5th and 6th main mode exchanges. If you do not specify PFS, the same public and private DH values dervied in Phase 1 are used to generate the subsequent keying material that protects IPSEC traffic.
When PFS is used, there is an additional DH key exchanged performed in IKE Phase 2. These new public/private DH values are then used to generate the keying material for the encrypted IPSEC traffic.