Main Mode and Aggressive Mode
IKE phase 1 negotiations are used to establish IKE SAs. These SAs protect the IKE phase 2 negotiations. IKE uses one of two modes for phase 1 negotiations: main mode or aggressive mode. The choice of main or aggressive mode is a matter of tradeoffs. Some of the characteristics of the two modes are:
- Main mode
- Protects the identities of the peers during negotiations and is therefore more secure.
- Enables greater proposal flexibility than aggressive mode.
- Is more time consuming than aggressive mode because more messages are exchanged between peers. (Six messages are exchanged in main mode.)
- Aggressive mode
- Exposes identities of the peers to eavesdropping, making it less secure than main mode.
- Is faster than main mode because fewer messages are exchanged between peers. (Three messages are exchanged in aggressive mode.)
- Enables support for fully qualified domain names (FQDNs) when the router uses preshared keys.
The next section describes aggressive mode in more detail.