IPSec VPN Keeps reconnecting after disconnect - IKEv2 etc

Hi all, I've set up IPSec VPN with IKEv2 between a USG60 and a USG110. The USG60 will be taken to different sites and thus will have various dynamic IPs, but still needs to connect back to the USG110. On the USG110, the VPN Gateway (Phase 1) is set to a dynamic peer (auth with certificates), and the VPN Connection (Phase 2) is Site-to-Site with dynamic peer. On the USG60, the VPN Gateway (Phase 1) is set to a static peer, and the VPN Connection (Phase 2) is Site-to-Site (with static peer). The VPN Connections are ESP/Tunnel with PFS. This all seems to works fine (with policy routes to handle the local and remote subnet routing). However, I have two odd things going on that worry me. 1. On the USG110, the VPN Gateway is set to dynamic peer. Even though this is IKEv2, the tooltip seen when hovering over the little (i) next to "Dynamic Peer" says that this will force "Aggressive Mode". My understanding was that Aggressive was only for IKEv1 and was definitely not secure. Any thoughts on this? 2. Clicking "Connect" on the USG60 VPN Connection connects just fine. However, clicking "Disconnect" only temporarily disconnects me (even if I hit "Apply"). Within a couple minutes the connection is magically restored. The same thing happens if I disconnect the VPN Connection from the USG110. More disturbingly, if I've disconnected from one or the other (and they still show disconnected), browsing to an IP on the LAN of the remote USG110 automatically reconnects the VPN Connection. The only way I've been able to keep the connection from restarting has been to disable the VPN Connection and the VPN Gateway for a couple minutes. Note that neither of the VPN Connections has "Nailed Up" checked. However, on the USG110, where the VPN Connection is Site-to-Site with dynamic peer, "Nailed Up" is greyed out. So, anybody know if "Aggressive Mode" in #1 above is just an old tooltip, or something to be concerned about? And for #2, I'm hoping somebody can tell me why I'm seeing the reconnects. Perhaps because IKEv2 keeps the tunnel alive? Does setting Site-to-Site have some hidden "keep-alive" setting? Thanks in advance for any ideas on this.