Category Archives: 15. Tunnel


IKE Phase 1 is ISAKMP (Internet Security Association and Key Management Protocol) – it is used to create a private tunnel between the peers (the routers) for a secure communication.

IKE Phase 2 is also known as IPsec – it creates the IPsec tunnel used for user traffic.

Main Mode VS Aggressive:

Fortigate selecting Main and Agressive Mode:

Basic Site-to-Site IPSec VPN (Aggressive Mode):

IKE main mode, aggressive mode, & phase 2.
IKE main mode, aggressive mode, & phase 2.

IPsec VPN, Main mode Vs Aggressive mode

-Aggressive mode is faster than main mode
-It is generally recommended to use main mode instead of aggressive mode.
-If aggressive mode must be used, for performance issue for example, prefer Public Key Encryption authentication.

Question and Answer:
1. When do we use main mode and aggrassive mode ? In which scenarios we choose them ?
A: Aggressive mode is typically used for remote access VPN’s (remote users). Also you would use aggressive mode if one or both peers have dynamic external IP addresses.
While Main mode is used fro Site-Site VPNs.

2. It will depend on the authentication type used
1. In PSK mode, you have to use Aggressive mode when one side is in dynamic
IP addressing.
2. In the other authentication modes, you can use either Main or Aggressive
One advantage of the Aggressive mode over the Main mode is it is more

3. Which mode will be secured one ? Main mode or Aggressive?
A: Main mode is secure as it negotiates the SA parameters first before authenticating which aggressive mode does not do.