I recommend you to study the Config Guide for, for instance, the 320M, there comes a detailed explanation about VPN. From this way, you'll be able to know what is Tunnel and Transport Mode, Main and Agressive Modes...and when you must use them...There you can see:
- Phase 1: Phase 1 of an AutoKey IKE tunnel negotiation consists of the exchange of proposals for how to authenticate and secure the channel. The exchange can be in one of two modes: Aggressive or Main.
- Phase 2: After the participants have established a secure and authenticated channel, they proceed through Phase 2, in which they negotiate the SAs to secure the data to be transmitted through the IPSec tunnel.
This is a very brief summary about VPN, if you want to understand really how VPN works read the document.
Regards