D-Link DFL-1600 User Manual page 236

216
Authenticate the communication parties, either with pre-shared
key (PSK) or certificate.
Exchange keying materials with Diffie-Hellman method.
IKE SAs are created.
IKE Phase-2
– Negotiate how IPsec should be protected.
Create a pair of IPsec SAs using the IKE SAs from phase-1,
detailing the parameters for the IPsec connection.
Extract new keying material from the Diffie-Hellman key
exchange in phase-1, to provide session keys to use in protecting
the VPN data flow.
Both the IKE SAs and the IPsec SAs have limited lifetimes, described as
time (seconds), and data (kilobytes). These lifetimes prevent a connection
from being used too long, which is desirable from a cryptanalysis
perspective.
The IKE phase-1 involves very heavy computation, thus its lifetime is
generally longer than the phase-2 IPsec lifetime. This allows for the IPsec
connection to be re-keyed simply by performing another phase-2
negotiation. There is no need to do another phase-1 negotiation until the
IKE SAs lifetime has expired.
The IKE negotiation has two modes of operation, main mode and
aggressive mode.
The difference between these two is that aggressive mode will pass more
information in fewer packets, with the benefit of slightly faster connection
establishment, at the cost of transmitting the identities of the security
gateways in the clear.
When using aggressive mode, some configuration parameters, such as
Diffie-Hellman groups, can not be negotiated, resulting in a greater
importance of having "compatible" configurations on both communication
ends.
D-Link Firewalls User's Guide
Chapter 22. VPN Protocols & Tunnels