NSE4 7.2 Infrastructure - IPsec VPN
Which IKEv1 negotiation mode is faster?
Aggressive
What is a configuration requirement for an IPsec tunnel to come up?
At least one firewall policy accepting traffic on the IPsec tunnel
Three steps of IKE Phase 1
Authenticate peers, negotiate bidirectional IKE SA, Diffie-Hellman exchange for secret keys
AH
Authentication Header
What three things does IPsec usually provide while joining hosts and networks into a private network?
Authentication, data integrity, and data confidentiality
ADVPN
Auto-discovery VPN
What do you need to enable on your IPsec tunnels to leverage redundant VPN tunnel fault tolerance?
DPD
What type of VPN peer can initiate an IPsec VPN tunnel?
Dial-up client
For which remote gateway type does the static route get added to the routing table during phase 2?
Dialup user
What does ADVPN do?
Dynamically negotiates tunnels between spokes without these tunnels being preconfigured to get the benefits of a full-mesh topology
ESP
Encapsulated Security Payload
What is inside ESP encapsulation in tunnel mode?
Entire IP packet, including header
Who connects to who in a full IPsec mesh?
Every location connects to every other location
What happens when Perfect Forward Secrecy is enabled on IKE phase 2?
FortiGate uses DH to generate new keys each time phase 2 expires
FEC
Forward Error Correction
What is the fastest but most expensive IPsec topology?
Full mesh
What is the cheapest but slowest IPsec topology?
Hub-and-spoke
What is the outcome of phase 1 of IKE?
IKE SA
Which IKE version includes aggressive and main modes?
IKEv1
Which IKE version requires peer acknowledgement?
IKEv2
Which version of IKE supports asymmetric authentication?
IKEv2
What is the outcome of phase 2 of IKE?
IPsec SA
IKE
Internet Key Exchange
What does IKE do to establish an IPsec VPN tunnel?
Negotiates a tunnel's private keys, authentication, and encryption
On which phase of IPsec setup do you configure the algorithms used for traffic encryption?
Phase 2
Which IPsec VPN type is legacy and not recommended for new deployments?
Policy-based IPsec VPN
What are the possible authentication methods for IKE Phase 1?
Pre-shared key, digital signature, XAuth
With a remote access VPN, who must initiate a VPN connection request, and why?
Remote user; FortiGate does not know the IP address of the remote user
What determines whether an IPsec tunnel is used as primary or backup?
Route distance/priority
What are IKE SAs used to set up?
Secure channel to negotiate IPsec SAs
SA
Security Association
How can you force ESP and IKE to use UDP 4500?
Set NAT Traversal to Forced
Which IPsec authentication method uses certificates?
Signature
For which remote gateway types do IPsec tunnels appear in the routing table after phase 1 comes up?
Static IP address or dynamic DNS
What is inside ESP encapsulation in transport mode?
Transport layer content; no header encapsulation
What is the protocol and port for NATed IKE?
UDP 4500
What is the protocol and port for un-NATed IKE?
UDP 500
When do you use dial-up user when establishing IPsec tunnel?
When remote peer IP address is unknown
When are DPD probes sent when DPD is set to On Demand?
When there is no inbound traffic
When are DPD probes sent when DPD is set to On Idle
When there is no traffic