Perfect Forward Secrecy (PFS) generates new Diffie-Hellman keys for each Phase negotiation. Without PFS, if an attacker later compromises your long-term keys, they could decrypt all previously captured traffic.
With PFS enabled, each Phase session uses unique keys. Compromising one session's keys doesn't affect others. Enable PFS on both ends of your tunnel. It adds computational overhead during rekeying but protects historical data.