Typically when looking at configurations for site to site VPNs which have one peer using a dynamic ip address agressive mode is used.
Can anyone confirmed why this is needed if the IKE identies are configured on both sides ?

_________________
www.Fir3net.com - Keeping You In The Know

aggressive mode means fewer packets are exchanged and is just quicker than main mode to establish an IKE SA

Yes, there are less packets exchanged while using aggresive mode, but it's not what its for.

When you use main mode, the ID exchange is encrypted while it is not with aggresive mode. That makes it so you absolutely need to know the pre-shared key of your peer before you actually exchange the ID and the only way you can do that is by matching the peer with its IP address.

Aggressive mode "solves" that problem by doing the ID exchange in cleartext, which you can then identify your peer with and fetch the proper pre-shared key or certificate.

Hmm Im not sure if that is 100% correct.
The IKE ID is much like a username for both main and aggressive mode, either side need to have a matching preshared key so that asymetric keys (via the use of DiffieHellman) can be generated.
What Im failing to understand is that if the IKE ID is set on both sides why agressive mode would be required as due to both sides sides knowing the IKE ID it should matter if it is sent encrypted (i.e main mode).

Thanks all.....

_________________
www.Fir3net.com - Keeping You In The Know

You know your own ID, you don't know the other side's ID.

Main mode encrypts the first phase completely, including the ID exchange where I tell you my ID and you tell me yours. How can I choose the proper tunnel-group with your ID to get the PSK if I don't know who you are yet? I have to use your IP to match, it's the only way I can get the right key for our ID exchange.

Yep I agree that IKE ID`s are not owned by the other side. But the IKE ID doesnt have to be an IP address. It can configured using a number of settings.
You are also correct in terms of remote access where the vpn gateway wont know about the ID and then will not know what tunnel group but how about site to site vpn ??

_________________
www.Fir3net.com - Keeping You In The Know

Doesn't really matter if it's remote access or site-to-site. As soon as we're talking about a peer that has a dynamic IP, aggressive mode will be used since main mode can't work without knowing the peer's ID beforehand.