Here you will find answers to IPSec VPN questions:
Question 1
IPSec VPN is a widely-acknowledged solution for enterprise network. Which three IPsec VPN statements are true? (Choose three)
A - IKE keepalives are unidirectional and sent every ten seconds.
B - IPsec uses the Encapsulating Security Protocol (ESP) or the Authentication Header (AH) protocol for exchanging keys.
C - To establish IKE SA, main mode utilizes six packets while aggressive mode utilizes only three packets.
D - IKE uses the Diffie-Hellman algorithm to generate symmetrical keys to be used by IPsec peers.
Answer: A C D
Question 2
Study the exhibit carefully. The Cisco IOS IPsec High Availability (IPsec HA) Enhancements feature provides an infrastructure for reliable and secure networks to provide transparent availability of the VPN gateways - that is, Cisco IOS Software-based routers. What are the two options that are used to provide High Availability IPsec? (Choose two)
| crypto map mymap 1 ipsec-isakmp set peer 10.1.1.1 reverse-route set transform-set esp-3des-sha match address 102 Interface fastethemet 0/0 ip address 192.168.0.2 255.255.255.0 standby name group 1 standby ip 192.168.0.3 crypto map mymap redundancy group1 access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255 |
A - HSRP
B - Dual Router Mode (DRM) IPsec
C - IPsec Backup Peerings
D - RRI
Answer: A D
Explanation:
The "standby ip" command specifies HSRP is being used (and it establishes 192.168.0.3 as the IP of the virtual router).
The "crypto map" and "reverse-route" lines specify Reverse Route Injection (RRI) is being used. Reverse Route Injection (RRI) is the process of injecting a static route into the Interior Gateway Protocol (IGP) routing table.
To configure RRI under a static crypto map, we perform the following steps:
1. configure terminal
2. crypto map {map-name} {seq-name} ipsec-isakmp (creates or modifies a crypto map entry and enters crypto map configuration mode)
3. reverse-route [static | tag tag-id [static] | remote-peer [static] | remote-peer ip-address [static]] (creates source proxy information for a crypto map entry)
Question 3
IPSec VPN is a widely-acknowledged solution for enterprise network. What are the four steps to setup an IPsec VPN?
| A - | Step 1: Interesting traffic initiates the IPsec process. Step 2: ESP authenticates IPsec peers and negotiates IKE SAs. Step 3: ESP negotiates IPsec SA settings and sets up matching IPsec SAs in the peers. Step 4: Data is securely transferred between IPsec peers. |
| B - | Step 1: Interesting traffic initiates the IPsec process. Step 2: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers. Step 3: IKE authenticates IPsec peers and negotiates IKE SAs. Step 4: Data is securely transferred between IPsec peers. |
| C - | Step 1: Interesting traffic initiates the IPsec process. Step 2: IKE authenticates IPsec peers and negotiates IKE SAs. Step 3: IKE negotiates IPsec SA settings and sets up matching IPsec SAs in the peers. Step 4: Data is securely transferred between IPsec peers. |
| D - | Step 1: Interesting traffic initiates the IPsec process. Step 2: AH authenticates IPsec peers and negotiates IKE SAs. Step 3: AH negotiates IPsec SA settings and sets up matching IPsec SAs in the peers. Step 4: Data is securely transferred between IPsec peers. |
Answer: C
Question 4
Which statement correctly describes IPsec VPN backup technology?
A - The cypto isakmp keepalive command is used to configure the Stateful Switchover (SSO) protocol.
B - Reverse Route Injection (RRI) is configured on at the remote site to inject the central site networks.
C. Each Hot Standby Routing Protocol (HSRP) standby group has two well-known MAC addresses and a virtual IP address.
D. The cypto isakmp keepalive command is used to configure stateless failover.
Answer: D
Question 5
You need to configure a GRE tunnel on a IPSec router. When you are using the SDM to configure a GRE tunnel over IPsec, which two parameters are required when defining the tunnel interface information? (Select two)
A - The crypto ACL number
B - The IPSEC mode (tunnel or transport)
C - The GRE tunnel interface IP address
D - The GRE tunnel source interface or IP address, and tunnel destination IP address
E - The MTU size of the GRE tunnel interface
Answer: C D
