![cisco ipsec vpn client main mode cisco ipsec vpn client main mode](https://docplayer.net/docs-images/29/13788963/images/4-0.png)
The IKE SA’s are used to protect the security negotiations. Main mode provides identity protection by authenticating peer identities when pre shared keys are used, and is typically used for site-to-site tunnels. In phase 1, Main mode is used and three 2 way exchanges between the initiator and receiver of the tunnel are achieved. When both peers have successfully achieved this, then they have successfully identified themselves to each other. So if one device is using a pre-shared key to prove its identity, then the other device must also use an identical pre-shared key, and same goes for digital certificates, where if one device is using digital certificates, then both sides need to use digital certificates. However both devices have to use one form of identification or the other. This is achieved by both peers exchanging the identical pre-shared keys or by using digital certificates. Both devices in negotiation exchange credentials with each other in which they would have to match in order to successfully authorise to be able to establish a VPN connection. The purpose for Main mode or phase 1 is to setup a secure channel in which Quick mode or phase 2 can be negotiated in. Security association is achieved in two ways, using Main mode or Aggressive mode. Below we will take a look at Main mode (Phase 1). In the second step, Quick mode (Phase 2) negotiates the algorithms and agrees on which traffic will be sent across the VPN. The first step is to use Main mode or Aggressive mode (Phase 1) that authenticates and/or encrypts the peers. For a successful and secure communication using IPsec, the IKE (Internet Key Exchange) protocol takes part in a two-step negotiation.