FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 196313

This article describes the difference between Aggressive and Main mode in IPSec VPN configurations.


Before going deep into some IPSec VPN configurations, we need to understand the differences between Main and Aggressive mode as well, these images will help us to identify what are the differences between them and which mode you may want to use in your environment.

Main Mode:


1) PHASE1 negotiation is made in 6 messages in total.
2) 1st message contains the ISAKMP policies which contains the encryption and authentication algorithms that it is willing to use.
3) 2nd message exchanges the Diffie-Hellman public keys.
4) 3rd message authenticate the ISAKMP session by sending the Peer ID and the hash payloads.

Aggressive Mode:


1) PHASE1 negotiation is made in 3 messages in total.
2) All the data required to establish the SA (Security Association) is sent by the initiator.
3) Responder replies with the selected ISAKMP policy and an authentication request.
4) Initiator responds the request and a SA is established.