For a successful and secure communication using IPsec, the IKE (Internet Key Exchange) protocol takes part in a two-step negotiation. The first step is to use Main mode or Aggressive mode (Phase 1) that authenticates and/or encrypts the peers. In the second step, Quick mode (Phase 2) negotiates the algorithms and agrees on which traffic will be sent across the VPN. Below we will take a look at Main mode (Phase 1).
Security association is achieved in two ways, using Main mode or Aggressive mode. The purpose for Main mode or phase 1 is to setup a secure channel in which Quick mode or phase 2 can be negotiated in. Both devices in negotiation exchange credentials with each other in which they would have to match in order to successfully authorise to be able to establish a VPN connection. This is achieved by both peers exchanging the identical pre-shared keys or by using digital certificates. However both devices have to use one form of identification or the other. So if one device is using a pre-shared key to prove its identity, then the other device must also use an identical pre-shared key, and same goes for digital certificates, where if one device is using digital certificates, then both sides need to use digital certificates. When both peers have successfully achieved this, then they have successfully identified themselves to each other. In phase 1, Main mode is used and three 2 way exchanges between the initiator and receiver of the tunnel are achieved. Main mode provides identity protection by authenticating peer identities when pre shared keys are used, and is typically used for site-to-site tunnels. The IKE SA’s are used to protect the security negotiations.
You should use Main mode when the VPN peers are using static IP addresses. If one or the other VPN peer does not use an IP address as the identifier of that peer then Main mode can only be used if certificates are used.
Further Reading
Wikipedia's guide to Internet Key Exchange
