Cisco Implementing Firewall Technologies
Which method is used to identify interesting traffic needed to create an IKE phase 1 tunnel?
A permit access list entry In order to bring up the IKE phase 1 tunnel, an access list must be configured with a permit statement that will identify interesting traffic.
To configure an IKE phase 1 tunnel to identify interesting traffic, what is each IPsec peer router is configured with to permit traffic.
ACL
Which IPsec framework protocol provides data integrity and data authentication, but does not provide data confidentiality?
AH Authentication Header (AH) is IP protocol 51 and does not provide data confidentiality. The data payload is not encrypted.
A function of IPsec that provides specific access to users and devices with valid authentication factors.
Authentication
A function of IPsec that utilizes encryption to protect data transfers with a key.
Confidentiality
What is the first step in establishing an IPsec VPN?
Detection of interesting traffic
Which protocol creates a virtual point-to-point connection to tunnel unencrypted traffic between Cisco routers from a variety of protocols?
GRE (Generic Routing Encapsulation)
What is a tunneling protocol developed by Cisco that encapsulates multiprotocol traffic between remote Cisco routers.
Generic Routing Encapsulation (GRE)
What VPM implementation allows VPN traffic received on a single interface to be routed back out that same interface.
Hairpinning
Which are the five security associations to configure in ISAKMP policy configuration mode?
Hash, Authentication, Group, Lifetime, Encryption When in ISAKMP policy configuration mode, the security associations for the IKE Phase 1 tunnel can be configured. Use the mnemonic HAGLE to remember the five security associations to configure:
What is a hybrid protocol that implements key exchange protocols inside the Internet Security Association Key Management Protocol (ISAKMP) framework.
IKE (Internet Key Exchange)
During which part of establishing an IPsec VPN tunnel between two sites would NAT-T detection occur?
IKE Phase 1
Once interesting traffic is detected, by matching the access list, what phase can begin that will configure the tunnel.
IKE phase 1 negotiations
What version and phase of IKE can the VPN end devices detect whether the other device is NAT-T capable and whether either device is connecting through a NAT-enabled device.
IKE version 2 Phase 1
What is a suite of protocols that allow for the exchange of information that can be encrypted and verified.
IPsec
What security protocol uses IKE to establish the key exchange process between two peers.
IPsec
What takes place during IKE Phase 2 when establishing an IPsec VPN?
IPsec security associations are exchanged. During IKE Phase 2, IPsec peers exchange the IPsec security associations (SAs) that each peer is willing to use to establish the IPsec tunnel.
What policy defines the message format, the mechanics of a key exchange protocol, and the negotiation process to build an SA for IPsec.
ISAKMP (pronounced "Ice-a-camp")
What policy contains security associations (SAs) that an IPsec is willing to use to establish an IKE tunnel.
ISAKMP policy
A function of IPsec that ensures data arrives unchanged at the destination through the use of a hash algorithm.
Integrity
Which IPsec security function provides assurance that the data received via a VPN has not been modified in transit?
Integrity
How is interesting traffic defined?
Interesting traffic is defined by an access list permit statement.
What is a key management standard used with IPsec.
Internet Key Exchange (IKE)
Which statement describes the operation of the IKE protocol?
It calculates shared keys based on the exchange of a series of data packets.
What is DH (Diffie-Hellman) is an algorithm used for?
Key exchange. DH is a public key exchange method and allows two IPsec peers to establish a shared secret key over an insecure channel.
What layers do MPLS and GRE operate at?
Layer 3 VPNs.
What VPN consists of a set of sites that are interconnected by means of a provider core network are easier to manage and expand than conventional VPNs.
MPLS
What does MPLS stand for?
Multiprotocol Label Switching (MPLS)
A function of IPsec that allows two peers to maintain their private key confidentiality while sharing their public key.
Secure key exchange
What associations does the ISAKMP policy lists that a router is willing to use to establish a tunnel for IKE.
Security associations
What VPN tunneling allows traffic that originates from a remote-access client to be split according to traffic that must cross a VPN and traffic that is destined for the public Internet.
Split tunneling
What is defined by an ISAKMP policy?
The security associations that IPsec peers are willing to use. The ISAKMP policy lists security associations (SAs) that an IPsec peer is willing to use to establish an IKE tunnel.
True/False GRE does not encrypt data.
True
True/False NAT-T has the ability to encapsulate ESP packets inside UDP.
True
What port does IKE uses to exchange IKE information between the security gateways.
UDP port 500
What command is used to view the ISAKMP policy?
Use the show crypto isakmp policy command to view the policy.
The use of 3DES within the IPsec framework is an example of which of the five IPsec building blocks?
confidentiality
How many phases ISAKMP key negotiation does IKE use?
phase 1 and phase 2
What is a benefit of having users or remote employees use a VPN to connect to the existing network rather than growing the network infrastructure?
scalability
Which VPN implementation allows traffic that originates from a remote-access client to be separated into trusted VPN traffic and untrusted traffic destined for the public Internet?
split tunneling
What version of IKE now supports NAT-T.
version 2
