IPSec Main mode - IPSec Site to Site VPN
Main Mode (Phase 1)
For a successful and secure communication using IPSec, the IKE (Internet Key Exchange) protocols takes part in a two step negotiation. Main mode or Aggressive mode (Phase 1) authenticates and/or encrypts the peers. Quick mode (Phase 2) negotiates the algorithms and agree on which traffic will be sent across the VPN. Below I discuss Main mode (Phase 1).
Security association is achieved in two ways, using main mode or aggressive mode. The purpose for Main mode or phase 1 is to setup a secure channel in which Quick mode or phase 2 can be negotiated in. Both devices in negotiation exchange credentials with each other in which they would have to match in order to successfully authorise to be able to make a VPN connection. This is achieved by both peers exchanging the identical pre-shared keys or using digital certificates. However both have to use one or the other. So if one device is using a pre-shared key, the other key must also use an identical pre-shared key, and same goes for digital certificates. When both peers have successfully achieved this, then they have successfully identified themselves to each other. In phase 1, Main mode is used and three 2 way exchanges between the initiator and receiver of the tunnel are achieved. Main mode provides identity protection by authenticating peer identities when pre shared keys are used, and is typically used for site to site tunnels. The IKE SA’s are used to protect the security negotiations.
You should use main mode when peers have static IP addresses. If one or the other peer does not use IP address as the identifier of that peer then Main mode can only be used if certificates are used for the credential methods.
Further Reading
Wikipedia's guide to Internet Key Exchange