sec150 chapter 8 ALL
What is defined by an ISAKMP policy?
The security associations that IPsec peers are willing to use. The ISAKMP policy lists security associations (SAs) that an IPsec peer is willing to use to establish an IKE tunnel.
What command is used to view the ISAKMP policy?
Use the show crypto isakmp policy command to view the policy.
Which of the following are AnyConnect deployment modes? (Select all that apply) b. FlexVPN mode, where the AnyConnect client is downloaded to a user computer through a browser. The user opens a browser and references the IP address or the FQDN of a Cisco ASA or Cisco FTD device to establish an SSL VPN tunnel, and the client is downloaded to the user's system. d. all of these answers are correct.
a. Web-enable mode, where the AnyConnect client is downloaded to a user computer through a browser. The user opens a browser and references the IP address or the FQDN of a Cisco ASA or Cisco FTD device to establish an SSL VPN tunnel, and the client is downloaded to the user's system. c. Standalone mode. With this method, the client is downloaded as a standalone application from a file server or directly from Cisco.com.
The use of 3DES within the IPsec framework is an example of which of the five IPsec building blocks?
confidentiality
Which VPN implementation allows traffic that originates from a remote-access client to be separated into trusted VPN traffic and untrusted traffic destined for the public Internet?
split tunneling
What version of IKE now supports NAT-T.
version 2
Which of the following are core building blocks to provide the required functionality for the GETVPN solution?
-IP tunnel header preservation. -Key servers (KSs) . quiz17
Which of the following VPN protocols do not provide encryption? -PPTP -Layer 2 Forwarding L2F -L2TP -Generic Routing Pro -All
All of these. quiz17
A function of IPsec that provides specific access to users and devices with valid authentication factors.
Authentication
A function of IPsec that utilizes encryption to protect data transfers with a key.
Confidentiality
The second step to configure static site-to-site VPNs in the Cisco ASA is _____.
Create ISAKMP policy. quiz17
During which part of establishing an IPsec VPN tunnel between two sites would NAT-T detection occur?
IKE Phase 1
Once interesting traffic is detected, by matching the access list, what phase can begin that will configure the tunnel.
IKE phase 1 negotiations
What version and phase of IKE can the VPN end devices detect whether the other device is NAT-T capable and whether either device is connecting through a NAT-enabled device.
IKE version 2 Phase 1
Which of the following statements is true? b. IKEv1 and IKEv2 are compatible protocols; consequently, you can configure an IKEv1 device to establish a VPN tunnel with an IKEv2 device. c. IKEv1 and IKEv2 are incompatible protocols; however, they both support EAP for authentication. d. In IKEv1 implementations, fewer packets are exchanged and less bandwidth is needed compared to IKEv2.
IKEv1 and IKEv2 are incompatible protocols; consequently, you cannot configure an IKEv1 device to establish a VPN tunnel with an IKEv2 device.
What is a suite of protocols that allow for the exchange of information that can be encrypted and verified.
IPsec
What policy defines the message format, the mechanics of a key exchange protocol, and the negotiation process to build an SA for IPsec.
ISAKMP (pronounced "Ice-a-camp")
What policy contains security associations (SAs) that an IPsec is willing to use to establish an IKE tunnel.
ISAKMP policy
A function of IPsec that ensures data arrives unchanged at the destination through the use of a hash algorithm.
Integrity
Which IPsec security function provides assurance that the data received via a VPN has not been modified in transit?
Integrity
What VPN consists of a set of sites that are interconnected by means of a provider core network are easier to manage and expand than conventional VPNs.
MPLS
What port does IKE uses to exchange IKE information between the security gateways.
UDP port 500
You configured a site-to-site VPN tunnel between two Cisco routers. IKE Phase 1 is established; however, the tunnel Phase 2 negotiation is failing. Which of the following commands will you use to troubleshoot IPsec Phase 2 negotiations? (Select all that apply) -show crypto isakmp sa -show crypto ipsec sa -show crypto ikev2 sa detailed -show crypto ikev2 session
b. show crypto ipsec sa d. show ccypto ikev2 session
You were hired to deploy a VPN solution that will provide connectivity to kiosks at a retail store that are used by all customers to find info about the services and products offered. Which VPN solution will you implement? a. FlexVPN with AnyConnect b. GETVPN c. Clientless SSL VPN d. None of these answers is correct
clientless SSL VPN.
The EAP messages between the IKEv2 client and the FlexVPN server are embedded within the IKEv2 EAP payload and are transported within the IKE_AUTH request and response messages. The EAP messages between the FlexVPN server and the RADIUS-based EAP server are embedded within which of the following? -the RADIUS AV-Pair attribute -the RADIUS Accounting packet -the EAP-Failure message.
-the RADIUS EAP-Message attribute.
Which method is used to identify interesting traffic needed to create an IKE phase 1 tunnel?
A permit access list entry In order to bring up the IKE phase 1 tunnel, an access list must be configured with a permit statement that will identify interesting traffic.
To configure an IKE phase 1 tunnel to identify interesting traffic, what is each IPsec peer router is configured with to permit traffic.
ACL
Which IPsec framework protocol provides data integrity and data authentication, but does not provide data confidentiality?
AH Authentication Header (AH) is IP protocol 51 and does not provide data confidentiality. The data payload is not encrypted.
Which of the following VPN protocols do not provide encryption? A. Layer 2 Tunneling Protocol (L2TP) B. Layer 2 Forwarding (L2F) Protocol C. Generic Routing Encapsulation (GRE) D. All of these answers are correct. E. Point-to-Point Tunneling Protocol (PPTP)
D. ALL of these. quiz17
What is the first step in establishing an IPsec VPN?
Detection of interesting traffic
Refer to the exhibit. What algorithm is being used to provide public key exchange?
Diffe-Hellman
IPsec tunnels can be set up statiscally or dynamically using virtual interfaces of type VTI (Virtual-Tunnel Interface) or GRE over IPsec. These types of interfaces already existed in legacy IKEv1, and their use has been extended to which of the following solutions? -clientless SSL VPN -MPLS VPNs -AnyConnect -FlexVPN
FlexVPN. quiz17
You are hired to deploy site-to-site VPN tunnels in a Cisco router where the VPN peers are third-party devices from different vendors. These devices have IKEv2 enabled. Which of the following technologies will you choose? -DMVPN -GETVPN -FlexVPN -GRE over IPSec.
FlexVPN. quiz17
Which protocol creates a virtual point-to-point connection to tunnel unencrypted traffic between Cisco routers from a variety of protocols?
GRE (Generic Routing Encapsulation)
What is a tunneling protocol developed by Cisco that encapsulates multiprotocol traffic between remote Cisco routers.
Generic Routing Encapsulation (GRE)
What VPM implementation allows VPN traffic received on a single interface to be routed back out that same interface.
Hairpinning
Which are the five security associations to configure in ISAKMP policy configuration mode?
Hash, Authentication, Group, Lifetime, Encryption When in ISAKMP policy configuration mode, the security associations for the IKE Phase 1 tunnel can be configured. Use the mnemonic HAGLE to remember the five security associations to configure:
What is a hybrid protocol that implements key exchange protocols inside the Internet Security Association Key Management Protocol (ISAKMP) framework.
IKE (Internet Key Exchange)
What takes place during IKE Phase 2 when establishing an IPsec VPN?
IPsec security associations are exchanged. During IKE Phase 2, IPsec peers exchange the IPsec security associations (SAs) that each peer is willing to use to establish the IPsec tunnel.
The tunnel mode _____ {ipv4 | ipv6} command configures the tunnel to carry IPv4 or IPv6 traffic directly within IPsec tunnel mode.
IPsec. quiz17
How is interesting traffic defined?
Interesting traffic is defined by an access list permit statement.
What is a key management standard used with IPsec.
Internet Key Exchange (IKE)
What is DH (Diffie-Hellman) is an algorithm used for?
Key exchange. DH is a public key exchange method and allows two IPsec peers to establish a shared secret key over an insecure channel.
Refer to the following configuration snippet: Which VPN implementation type does this configuration snippet apply to? -Remote Access VPN in Cisco Router Remote Access VPN in Cisco ASA. -Site-to-site VPN in Cisco ASA -Site-to-site VPN in Cisco Router
Remote Access VPN in Cisco ASA.
A function of IPsec that allows two peers to maintain their private key confidentiality while sharing their public key.
Secure key exchange
What associations does the ISAKMP policy lists that a router is willing to use to establish a tunnel for IKE.
Security associations
What VPN tunneling allows traffic that originates from a remote-access client to be split according to traffic that must cross a VPN and traffic that is destined for the public Internet.
Split tunneling
True/False GRE does not encrypt data.
True
True/False NAT-T has the ability to encapsulate ESP packets inside UDP.
True
Which of the following are key points you need to take into consideration before you choose your SSL VPN deployment mode? a. before designing and implementing the SSL VPN solution for your corporate network, you need to determine whether your users connect to your corp network from public shared computers, such as workstations made available to guests in a hotel or computers in an Internet Kiosk. In this case, using a clientless SSL VPN is the preferred solution to access the protected resources. b. the SSL VPN functionality on the ASAs requires that you have appropriate licenses. Make sure that you have the appropriate license for your SSL VPN deployment. c. network security administrators need to determine the size of the SSL VPN deployment, especially the number of concurrent users that will connect to gain network access. If one Cisco ASA is not enough to support the required number of users, clustering or load balancing must be considered to accommodate all the potential remote users.
d. All of these answers are correct. quiz17
Which of the following statements are true about site-to-site VPN deployments in Cisco FTD? a. A site-to-site VPN connection in Cisco FTD devices can only be made across domains by using an extranet peer for the endpoint not in the current domain. b. A VPN topology cannot be moved between domains. c. Network objects with a "range" option are not supported in VPN.
d. All of these. quiz 17
Which of the following are examples of the differences that exist between IKEv1 and IKEv2? a. IKEv1 Phase 1 has two possible exchanges: main mode and aggressive mode. There is a single exchange of a message pair for IKEv2 IKE_SA. b. IKEv2 has a simple exchange of two message pairs for the CHILD_SA. IKEv1 uses an exchange of at least three message pairs for phase 2. In short, IKEv2 has been designed to be more efficient than IKEv1, since fewer packets are exchanged and less bandwith is needed compared to IKEv1. c. Despite that IKEv1 supports some of the authentication methods that are used in IKEv2, IKEv1 does not allow the use of Extensible Authentication Protocol (EAP). d. All of these answers are correct.
d. All of these. quiz17
Which of the following statement are true about Cisco FTD VPN deployments? a. Rapid Threat Containment is supported by Cisco FTD using RADIUS Change of Authorization (CoA) or RADIUS dynamic authorization. b. Double authentication is supported using an additional AAA server for secondary authentication. c. Remote access VPN can be configured on both FMC and FDM.
d. All.
How many phases ISAKMP key negotiation does IKE use?
phase 1 and phase 2
Which of the following statements are true about site-to-site VPN deployments in Cisco FTD?
quiz17. All of them
What is a benefit of having users or remote employees use a VPN to connect to the existing network rather than growing the network infrastructure?
scalability
Which of the following attributes are negotiated in IKEv1 exchanges?
*SA_INIT* need to confirm quiz17
Which of the following technologies groups many spokes into a single mGRE interface? -GETVPN -FlexVPN -GRE over IPSec.
-*DMVPN* quiz17
You are hired to configure a site-to-site VPN between a Cisco FTD device and a Cisco IOS-XE router. Which of the following encryption and hashing protocols will you select for optimal security? -IDEA, SHA, Diffie-Hellman Group 2 -AES-192, SHA, Diffie-Hellman Group 5. -AES-256, SHA, Diffie-Hellman Group 21.
-AES-192, SHA, Diffie-Hellman Group 21. quiz17
When you configure static site-to-site VPNs in the Cisco ASA, which of the following are attributes for the ISAKMP policy?
-ESP Authentication -D-H group (need to confirm). quiz17
Refer to the following configuration snippet: Which VPN technology is used in the configuration snippnet? -DMVPN -GRE over IPsec -GETVPN
-FlexVPN
GDOI is defined as the ISAKMP Domain of Interpretation (DOI) for group key management. The GDOI protocol operates between a group of member and a group controller or key server (GCKS), which establishes SAs among authorized group members. Which of the following technologies use GDOI to establish SAs between authorized peers (group members)? -FlexVPN -DMVPN -none of these
-GETVPN
VPN implementations are categorized into two distinct groups, _____ and ____.
-Site-to-site VPNs -Remote-access VPNs. quiz17
With NAT-T, the VPN peers dynamically discover whether an address translation device exists between them. If they detect a NAT/PAT device, they use --- to encapsulate the packets, subsequently allowing the NAT device to successfully translate and forward the packets. -UDP port 500 -TCP port 4500 -TCP port 443.
-UDP port 4500
An IPsec transform (proposal) set specifies what type of encryption and hashing to use for the data packets after a secure connection has been established. This provides data authentication, confidentiality, and integrity. The IPsec transform set is negotiated during quick mode. Which of the following commands is used to create an IPsec proposal (transform set) in a Cisco ASA? -crypto ipsec ikev2 transform_set mypolicy -crypto ikev2 mypolicy 1 -crypto isakmp policy mypolicy
-crypto ipsec ikev2 ipsec-proposal mypolicy. quiz17
Enabling debugs could potentially increase the load on busy network infrastructure devices. Which of the following is a feature that allows logging info to be stored in binary files so that you can later retrieve them without adding any more stress on the infrastructure device? -FMC health debugs -Diagnostics and Reporting Tool (DART) -Debug Binary Decomposition (DBD)
-even-trace monitoring
When you configure IPsec VPNs in supported Cisco devices, you can use _____ and _____ commands for IP connectivity, IKEv1, IKEv2, IPsec, GRE encapsulation, RADIUS authentication, and many other related technologies.
-show -debug. quiz17
What security protocol uses IKE to establish the key exchange process between two peers.
IPsec
Which statement describes the operation of the IKE protocol?
It calculates shared keys based on the exchange of a series of data packets.
What layers do MPLS and GRE operate at?
Layer 3 VPNs.
What does MPLS stand for?
Multiprotocol Label Switching (MPLS)
