In aggressive mode, the initiator and recipient accomplish the same objectives, but in only two exchanges, with a total of three messages:
Because the participants' identities are exchanged in the clear (in the first two messages), aggressive mode does not provide identity protection.
Note: When a dialup VPN user negotiates an AutoKey IKE tunnel with a preshared key, aggressive mode must be used. Therefore, you must always use aggressive mode with the dynamic VPN feature. Note also that a dialup VPN user can use an e-mail address, a fully qualified domain name (FQDN), or an IP address as its IKE ID. A dynamic peer can use either an e-mail address or FQDN, but not an IP address.