I'm trying to see the actual point in implementing Perfect Forward Secrecy during Internet Key Exchange Phase 2, if it had already been used during Phase 1.
Quoting the IKEv2 RFC:
RFC 5596
3.3.2. Transform Substructure[...] Although ESP and AH do not directly include a Diffie-Hellman exchange, a Diffie-Hellman group MAY be negotiated for the Child SA. This allows the peers to employ Diffie-Hellman in the CREATE_CHILD_SA exchange, providing perfect forward secrecy for the generated Child SA keys.
Is there a real security incentive to implement this forward secrecy feature?
What is the risk it tries to cover?
My understanding is that, without PFS here, the Child SA (Security Association) keys are derived directly from the keys negotiated during Phase 1.
If an attacker gets his hands on the dynamically generated keys negotiated during Phase 1 (in memory or after breaking the involved cryptography), I cannot see why he could not get the new ones generated during Phase 2.