Chapter 8: Implementing Virtual Private Networks
SHA
What HMAC algorithm is being used to provide data integrity? SHA MD5 DH AES
AES
What algorithm will be used for providing confidentiality? AES Diffie-Hellman RSA DES
The VPN connection is initiated by the remote user
What is an important characteristic of remote-access VPNs? Internal hosts have no knowledge of the VPN. The VPN configuration is identical between the remote devices. Information required to establish the VPN must remain static. The VPN connection is initiated by the remote user
It will be sent encrypted.
How will traffic that does not match that defined by access list 101 be treated by the router? It will be sent encrypted. It will be discarded. It will be sent unencrypted. It will be blocked.
to define the encryption and integrity algorithms that are used to build the IPsec tunnel
Consider the following configuration on a Cisco ASA: crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac What is the purpose of this command? to define only the allowed encryption algorithms to define the ISAKMP parameters that are used to establish the tunnel to define what traffic is allowed through and protected by the tunnel to define the encryption and integrity algorithms that are used to build the IPsec tunnel
access list
What is needed to define interesting traffic in the creation of an IPsec tunnel? access list security associations transform set hashing algorithm
allows peers to exchange shared keys
What is the function of the Diffie-Hellman algorithm within the IPsec framework? allows peers to exchange shared keys provides strong data encryption guarantees message integrity provides authentication
permits VPN to work when NAT is being used on one or both ends of the VPN
What is the purpose of NAT-T? upgrades NAT for IPv4 allows NAT to be used for IPv6 addresses enables NAT for PC-based VPN clients permits VPN to work when NAT is being used on one or both ends of the VPN
When multiple combinations of IPsec protection are being chosen, multiple crypto ACLs can define different traffic types.
What is the purpose of configuring multiple crypto ACLs when building a VPN connection between remote sites? By applying the ACL on a public interface, multiple crypto ACLs can be built to prevent public users from connecting to the VPN-enabled router. Multiple crypto ACLs can be configured to deny specific network traffic from crossing a VPN. When multiple combinations of IPsec protection are being chosen, multiple crypto ACLs can define different traffic types. Multiple crypto ACLs can define multiple remote peers for connecting with a VPN-enabled router across the Internet or network.
ESP AH ISAKMP
What three protocols must be permitted through the company firewall for establishment of IPsec site-to-site VPNs? (Choose three.) ESP NTP HTTPS AH ISAKMP SSH
during both Phase 1 and 2
When is a security association (SA) created if an IPsec VPN tunnel is used to connect between two sites? only during Phase 1 only during Phase 2 during both Phase 1 and 2 after the tunnel is created, but before traffic is sent
negotiation of IPsec policy
Which action do IPsec peers take during the IKE Phase 2 exchange? exchange of DH keys negotiation of IPsec policy verification of peer identity negotiation of IKE policy sets
R1(config)# crypto isakmp key cisco123 address 209.165.200.227 R2(config)# crypto isakmp key cisco123 address 209.165.200.226
Which pair of crypto isakmp key commands would correctly configure PSK on the two routers? R1(config)# crypto isakmp key cisco123 hostnameR1 R2(config)# crypto isakmp key cisco123 hostname R2 R1(config)# crypto isakmp key cisco123 address 209.165.200.227 R2(config)# crypto isakmp key cisco123 address 209.165.200.226 R1(config)# crypto isakmp key cisco123 address 209.165.200.226 R2(config)# crypto isakmp key cisco123 address 209.165.200.227 R1(config)# crypto isakmp key cisco123 address 209.165.200.226 R2(config)# crypto isakmp key secure address 209.165.200.227
IPsec
Which protocol provides authentication, integrity, and confidentiality services and is a type of VPN? AES ESP IPsec MD5
IPsec is a framework of open standards that relies on existing algorithms.
Which statement accurately describes a characteristic of IPsec? IPsec works at the application layer and protects all application data. IPsec works at the transport layer and protects data at the network layer. IPsec is a framework of open standards that relies on existing algorithms. IPsec is a framework of proprietary standards that depend on Cisco specific algorithms. IPsec is a framework of standards developed by Cisco that relies on OSI algorithms.
VPNs use virtual connections to create a private network through a public network.
Which statement describes a VPN? VPNs use dedicated physical connections to transfer data between remote users. VPNs use logical connections to create public networks through the Internet. VPNs use open source virtualization software to create the tunnel through the Internet. VPNs use virtual connections to create a private network through a public network.
The longer the key, the more key possibilities exist.
Which statement describes the effect of key length in deterring an attacker from hacking through an encryption key? The length of a key will not vary between encryption algorithms. The length of a key does not affect the degree of security. The shorter the key, the harder it is to break. The longer the key, the more key possibilities exist.
encryption
Which technique is necessary to ensure a private transfer of data using a VPN? authorization encryption scalability virtualization
hairpinning
Which term describes a situation where VPN traffic that is is received by an interface is routed back out that same interface? split tunneling hairpinning MPLS GRE
AH uses IP protocol 51. AH provides integrity and authentication. ESP provides encryption, authentication, and integrity.
Which three statements describe the IPsec protocol framework? (Choose three.) AH uses IP protocol 51. AH provides encryption and integrity. AH provides integrity and authentication. ESP uses UDP protocol 50. ESP requires both authentication and encryption. ESP provides encryption, authentication, and integrity.
crypto ipsec transform-set ESP-DES-SHA esp-aes-256 esp-sha-hmac
Which transform set provides the best protection? crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-aes esp-des esp-sha-hmac
MD5 SHA
Which two IPsec protocols are used to provide data integrity? MD5 SHA AES DH RSA
50 51 ESP uses protocol 50. AH uses protocol 51. ISAKMP uses UDP port 500.
Which two protocols must be allowed for an IPsec VPN tunnel is operate properly? (Choose two.) 50 51 168 169 500 501
IPsec works at the network layer and operates over all Layer 2 protocols. IPsec is a framework of open standards that relies on existing algorithms.
Which two statements accurately describe characteristics of IPsec? (Choose two.) IPsec works at the application layer and protects all application data. IPsec works at the transport layer and protects data at the network layer. IPsec works at the network layer and operates over all Layer 2 protocols. IPsec is a framework of proprietary standards that depend on Cisco specific algorithms. IPsec is a framework of standards developed by Cisco that relies on OSI algorithms. IPsec is a framework of open standards that relies on existing algorithms.
GETVPN
Which type of site-to-site VPN uses trusted group members to eliminate point-to-point IPsec tunnels between the members of a group? DMVPN GETVPN GRE MPLS