Hi Rijo,
Sorry It lost half my text in my last response but I decided to provide a fuller explanation, so here goes.
IKE supports two modes of negotiation, Main mode and Aggressive mode. Main mode is the standard method used for site-to-site VPNs with static peers. Aggressive mode is typically used for VPN clients and sites with dynamic IP addresses.
In Main mode, the VPN tunnel initiator and the recipient send three two-way exchanges, a total of 6 messages. These are as follows:
First exchange (messages 1 and 2): Propose and accept the encryption and authentication algorithms
Second exchange (messages 3 and 4): Execute a DH exchange where the initiator and recipient each provide a nonce (a randomly generated number)
Third exchange (messages 5 and 6): Send and verify identities
By exchanging identity information after the second exchange where an encryption method has been established, the identity information remains secure. In Aggressive mode, a secure tunnel is still established but requires only 2 exchanges with a total of 3 messages which are:
First message: The VPN tunnel initiator proposes the SA, initiates a Diffie-Hellman key exchange, sends a nonce and its IKE identity
Second message: The recipient accepts the SA, authenticates the initiator, sends a nonce, its IKE identity and its digital certificate (if digital certificates are in use)
Third message: The initiator authenticates the recipient, confirms the exchange and sends its digital certificate (if digital certificates are in use)
Because the identities of both parties are sent in the clear, Aggressive mode does not provide identity protection. If you have different settings each end it is highly likly your VPN would never work.
Regards
Gavrilo