Dear Community,

I am currently studying for the CCNA-Security exam and am doing a deep dive on IPSec and VPN's. I may be going too deep on some of these topics for the exam but I resolved to REALLY try to understand what is going on "underneath the hood" so to speak. I work as a Network Engineer and have configured, maintained and troubleshot many Site to Site IPSec VPN issues. But, I must admit that I dont really completely understand exactly how some of it works and how it all sort of "fits together". So I am using this exam as motivation to do the deep dive. I have written down several questions as Ive been studying and I am hoping you can help to answer some or all of them. 

-In Diffie-Hellman, the group # dictates the size of the key. Is this referring to the
"common symmetrical secret key" the DH Alg on both sides eventually arrives at in secret? If so, how is this dictated ahead of time when the DH Alg hasnt even run yet? Is this achieved via using a large enough "random secret" number to perform the log function against? Or by choosing large enough prime numbers up front?

-In IKE Phase 1 Main mode, what is the point of encrypting the IDentity and Auth info in the late stages of setting up the ISAKMP SA (packet #5 and 6) if all you have to do is look at the IP header to get the IP address of the sending device? Doesnt the ID Payload contain the same info (IP Address of sending device)?

-During Quick Mode IPSec SA negotiations, is the encryption domain/proxy ID (ACL defining interesting traffic) info shared with the peer as part of the proposal?

-in IKEv1, If you use AH only, does this mean that the data that is being sent using the Phase 2 SPI is NOT encrypted? if so, this seems to defeat the entire purpose of Phase 1 right?

Thanks in advance for any answers you can provide.