Using a dynamic IP address for a VPN endpoint
The following restriction applies when a VPN endpoint has a dynamic IP address that has been assigned using DHCP, PPPoA, or PPPoE.
IKEv1 main mode with pre-shared key authentication is not supported. Aggressive mode allows the use of pre-shared keys, but for security reasons certificate-based authentication is also recommended when IKEv1 is set in aggressive mode. Always use IKEv2 if both VPN endpoints support it.