IPsec VPN Types, Cisco IOS VTI
A major benefit of IPsec VTIs is that the configuration does not require a static mapping of IPsec sessions to a physical interface. The IPsec tunnel endpoint is associated with......
a virtual interface
Use the ________________command to display the parameters for each local IKE policy.
show crypto isakmp policy
Use the ________________ command to verify the status of the IKE peering SAs. This command displays all existing IKE peering SAs.
show crypto isakmp sa
The following are characteristics of the simplest form of Cisco IOS Software tunnel-based site-to-site IPsec VPN configuration:
-It replaces cryptographic map-based configuration. -It is intuitive to configure and integrates better with other Cisco IOS Software features.
This VPN type was created to simplify the deployment of VPNs, to address the complexity of multiple solutions, and, as a unified ecosystem, to cover all types of VPN: remote-access, teleworker, site-to-site, mobility, managed security services, and others.
Cisco IOS FlexVPN
What hash algorithm and DH group do you want to avoid in Cisco IOS policies?
MD5 Hash algorithm DH Group 2
When should you use dynamic routing protocol in VTI?
Use a dynamic routing protocol in large networks and to provide path or peer redundancy with multiple VTI tunnels. Otherwise, use static routing over VTI tunnels.
When should you use dynamic VTI tunnels?
Use dynamic VTI tunnels for the hub in large hub-and-spoke networks. Otherwise, use static VTI tunnels.
What are the deployment choices for IPsec VTI?
Use static or dynamic VTI tunnels Use static or dynamic routing protocol over VTI tunnels
This VPN type is a tool that customers can use to configure IPsec-based VPNs between site-to-site devices. It encapsulates traffic with new packet headers and the network is private because traffic can enter a tunnel only at an endpoint
Virtual Tunnel Interfaces (VTIs)
What are the 3 types of VPNs typically configured on Cisco IOS devices?
Virtual Tunnel Interfaces (VTIs) Dynamic Multipoint VPNs (DMVPNs) Cisco IOS FlexVPN
What are three different types of redundancy models that can be implemented with FlexVPN?
-Dynamic routing protocols over FlexVPN tunnels. Path and headend selection is based on dynamic routing metrics. -IKEv2-based dynamic route distribution and server clustering. -IPsec/IKEv2 active/standby stateful failover between two chassis.
VTI features include the following:
-They behave as regular tunnels, one for each remote site of the VPN. -Their encapsulation must be either IPsec Encapsulating Security Payload (ESP) or Authentication Header (AH). -Their line protocol depends on the state of the VPN tunnel (IPsec Security Associations [SAs]).
What are the authentication algorithm, encryption algorithm, Has algorithm, and DH group for the following default Cisco IOS IKE PSK-Based Policies? 65508 65510 65512 65514
65508, PSK, AES, SHA, 5 65510, PSK, AES, MD5, 5 65512, PSK, 3DES, SHA, 2 65514, PSK, 3DES, MD5, 2
This VPN type uses a centralized architecture to provide easier implementation and management for deployments that require granular access controls for diverse user communities, including mobile workers, telecommuters, and extranet users
Dynamic Multipoint VPNs (DMVPNs)
What are benefits of FlexVPN? (8)
Flexibility in transport network Easy Deployment Style Failover redundancy Third-party compatibility IP Multicast Support Superior QoS Centralized Policy Control VRF Awareness
What is involved in setting up an IKE SA between two peers?
ISAKMP Policy which involves: -Determine the peer authentication method (PSK/RSA) -Specify encryption and hashing algorithm that will be used to protect IKE packets -Determine the strength of the session key exchange method (Diffie-Hellman (DH) algorithm) -Use an appropriate IKE session lifetime
What are some limitations of IPsec VTI?
Limited to only IP unicast and multicast traffic Cisco IOS Software IPsec stateful failover is not supported with IPsec VTIs.
What are the 2 tasks when configuring basic IKE peering?
Set up an IKE SA between two peers Create a PSK and bind it to the name or IP address of the VPN peer
What are benefits of IPsec VTI?
Simplifies Configuration Flexible Interface feature support Multicast support Improved Scalability Provides a routable interface
