Choosing main mode or aggressive mode
The FortiGate unit and the remote peer or dialup client exchange phase 1 parameters in either Main mode or Aggressive mode. This choice does not apply if you use IKE version 2, which is available only for route-based configurations.
• In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information
• In Aggressive mode, the phase 1 parameters are exchanged in single message with authentication information that is not encrypted.
Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier local ID). Descriptions of the peer options in this guide indicate whether Main or Aggressive mode is required.