NSE4 7.2 Infrastructure - IPsec VPN

Ace your homework & exams now with Quizwiz!

Which IKEv1 negotiation mode is faster?

Aggressive

What is a configuration requirement for an IPsec tunnel to come up?

At least one firewall policy accepting traffic on the IPsec tunnel

Three steps of IKE Phase 1

Authenticate peers, negotiate bidirectional IKE SA, Diffie-Hellman exchange for secret keys

AH

Authentication Header

What three things does IPsec usually provide while joining hosts and networks into a private network?

Authentication, data integrity, and data confidentiality

ADVPN

Auto-discovery VPN

What do you need to enable on your IPsec tunnels to leverage redundant VPN tunnel fault tolerance?

DPD

What type of VPN peer can initiate an IPsec VPN tunnel?

Dial-up client

For which remote gateway type does the static route get added to the routing table during phase 2?

Dialup user

What does ADVPN do?

Dynamically negotiates tunnels between spokes without these tunnels being preconfigured to get the benefits of a full-mesh topology

ESP

Encapsulated Security Payload

What is inside ESP encapsulation in tunnel mode?

Entire IP packet, including header

Who connects to who in a full IPsec mesh?

Every location connects to every other location

What happens when Perfect Forward Secrecy is enabled on IKE phase 2?

FortiGate uses DH to generate new keys each time phase 2 expires

FEC

Forward Error Correction

What is the fastest but most expensive IPsec topology?

Full mesh

What is the cheapest but slowest IPsec topology?

Hub-and-spoke

What is the outcome of phase 1 of IKE?

IKE SA

Which IKE version includes aggressive and main modes?

IKEv1

Which IKE version requires peer acknowledgement?

IKEv2

Which version of IKE supports asymmetric authentication?

IKEv2

What is the outcome of phase 2 of IKE?

IPsec SA

IKE

Internet Key Exchange

What does IKE do to establish an IPsec VPN tunnel?

Negotiates a tunnel's private keys, authentication, and encryption

On which phase of IPsec setup do you configure the algorithms used for traffic encryption?

Phase 2

Which IPsec VPN type is legacy and not recommended for new deployments?

Policy-based IPsec VPN

What are the possible authentication methods for IKE Phase 1?

Pre-shared key, digital signature, XAuth

With a remote access VPN, who must initiate a VPN connection request, and why?

Remote user; FortiGate does not know the IP address of the remote user

What determines whether an IPsec tunnel is used as primary or backup?

Route distance/priority

What are IKE SAs used to set up?

Secure channel to negotiate IPsec SAs

SA

Security Association

How can you force ESP and IKE to use UDP 4500?

Set NAT Traversal to Forced

Which IPsec authentication method uses certificates?

Signature

For which remote gateway types do IPsec tunnels appear in the routing table after phase 1 comes up?

Static IP address or dynamic DNS

What is inside ESP encapsulation in transport mode?

Transport layer content; no header encapsulation

What is the protocol and port for NATed IKE?

UDP 4500

What is the protocol and port for un-NATed IKE?

UDP 500

When do you use dial-up user when establishing IPsec tunnel?

When remote peer IP address is unknown

When are DPD probes sent when DPD is set to On Demand?

When there is no inbound traffic

When are DPD probes sent when DPD is set to On Idle

When there is no traffic


Related study sets

anatomy & physiology 1: chapter 12 & 13

View Set

Practice Test for Midterm BUSN 2003

View Set

English 1 -The Vital Role of Wetlands

View Set