The Palo Alto Networks firewalls or a firewall and another security device that initiate and
terminate VPN connections across the two networks are called the IKE Gateways. To set up
the VPN tunnel and send traffic between the IKE Gateways, each peer must have an IP
address—static or dynamic—or FQDN. The VPN peers use pre-shared keys or certificates to
authenticate each other mutually.
The peers must also negotiate the mode—main or aggressive—for
setting up the VPN tunnel and the SA lifetime in IKE Phase 1. Main
mode protects the identity of the peers and is more secure because
more packets are exchanged when setting up the tunnel. Main mode
is the recommended mode for IKE negotiation if both peers support
it. Aggressive mode uses fewer packets to set up the VPN tunnel
and is hence faster but a less secure option for setting up the
VPN tunnel.