CCNA Security FAQ: Virtual Private Networks with IPsec

CCNA Security FAQ: Virtual Private Networks with IPsec

Question. True or false. Site-to-site IPsec VPNs are an evolution of dial-up networking.

Answer: The correct answer is false. Site-to-site IPsec VPNs are an evolution of WAN technology.

Question. Which of the following is not considered a feature that can be configured as part of an IPsec VPN? (Choose all that apply.)
A. Authorization
B. Auditing
C. Confidentiality
D. Integrity
E. Authentication

Answer: The correct choices are A and B. Authorization and auditing (accounting) are considered parts of a AAA solution. IPsec VPNs provide for Confidentiality, Integrity, Authentication, and Anti-replay (C-I-A-A).
Question. What are two modes of operation for both Authentication Header (AH) and Encapsulating Security Payload (ESP)? (Choose two.)
A. Transmission mode
B. Transport mode
C. Transparent mode
D. Tunnel mode
Answers: B and D
Question. Which of the following licenses dictates the number of allowed concurrent connections on an ASA 5500 series appliance?
A. Feature license
B. Encryption license
C. Platform license
D. Expansion license
Answer: C
Question. Which hashing algorithm does Cisco recommend as a best practice because of its increased security and speed?
A. 3DES
B. SHA
C. AES
D. MD5
Answer: B

Question. What are two disadvantages of Cisco IOS SSL VPNs when compared with IPsec VPNs?
A. Hardware-only. The solution is implemented in hardware on either the VPN gateway or the client making the solution Cisco-proprietary.

B. Software-only. The solution is implemented in software on the VPN gateway and client.

C. Cryptographic security. Does not support the same level of encryption security as IPsec.

D. Incompatibility. Creating rules to allow SSL VPN traffic over intermediate routers and other gateways is difficult.

E. None of the above.

Answer: The correct choices are A and B. Authorization and auditing (accounting) are considered parts of a AAA solution. IPsec VPNs provide for Confidentiality, Integrity,Authentication, and Anti-replay (C-I-A-A).

Question. Fill in the following table with the letter corresponding to the most correct answer for devices’ role in the context of remote-access and site-to-site VPNs. (The same letter can be used more than once.)
VPN Type

7-1
Choices:
A. Primary role
B. Secondary role
C. Complements firewall role
D. Yes, but IT Security manages the VPN
E. Supports VPN 3000 Series Concentrator features

The correct answers are as follows:
VPN Type
7-2

Question. Which of the following list is not considered to be a VPN feature of Cisco VPN-enabled IOS routers? (Choose all that apply.)
A. Stateful Switchover (SSO)
B. AnyConnect standalone SSL VPN client
C. IPsec Stateful Failover
D. Voice and Video Enabled VPN (V3PN)
E. Cisco Easy VPN Remote

Answer: The correct choice is B. Currently, the AnyConnect SSL VPN client is only supported on the Cisco ASA 5500 Series adaptive security appliances. All of the other choices are VPN features of the Cisco VPN-enabled IOS routers.

Question. Fill in the blanks in the description below with choices from the list. (A choice may only be used once.)
At a high-level, IKE Phase I handles all _____ and _____ between VPN peers, whereas the main task of IKE Phase II is the transmission and _____ of data by applying confidentiality, integrity, authentication, and anti-replay services to it.
Choices:
A. Transformation
B. Authentication
C. Negotiation
D. Verification

Answer: The first two blanks should be B and C, in any order. The last blank is A. Verification is a subset of transformation; therefore, answer D cannot be used.

Question. Which of the following encryption algorithms (ciphers) is supported on VPN-enabled Cisco IOS routers? (Choose all that apply.)
A. Blowfish
B. DUAL
C. SEAL
D. 3DES
E. AES
F. RSA

Answer: Blowfish is a cipher but is not supported on the router. DUAL is the name for the algorithm that Cisco’s proprietary Enhanced Interior Gateway Routing Protocol (EIGRP) employs and is not a cipher. All the other choices (C, D, E, and F) are supported ciphers for IPsec VPNs.

Question. Fill in the blanks in the paragraph below with a letter corresponding to the correct choice from the list:
IKE Phase I uses a _____ to group elements together, whereas IKE Phase II groups ciphers and HMACs and other parameters in a _____.
Choices:
A. Negotiation set
B. Encryption set
C. HMAC (Hashing Media Authentication Code) set
D. Transform set
E. Policy set

Answer: The correct choices are E and D. The other choices are made up.

Question. Which of the following is true about a crypto map? (Choose all that apply.)
A. You can only have one crypto map per interface.
B. You can only have one crypto map per router.
C. A single crypto map can support multiple peers.
D. A single crypto map can support only one peer.
E. Crypto maps group all the policy elements of a transform set.

Answers: A and C are correct. You can have as many crypto maps as you have interfaces, but only one crypto map per interface. This being the case, that one crypto map may need to support multiple remote-access and site-to-site VPNs.
Question. Which of the following acts as a VPN termination device and is located at a primary network location?
A. Headend VPN device
B. VPN access device
C. Tunnel
D. Broadband service
Answer: A
Question. Which of the following ensures that data is not modified in transit?
A. Confidentiality
B. Integrity
C. Authentication
D. Authorization
Answer: B
Question. What two IKE modes can negotiate an IKE Phase 1 (that is, an ISAKMP) tunnel? (Choose two.)
A. Main mode
B. Quick mode
C. Aggressive mode
D. Promiscuous mode
Answers: A and C

Question. Which of the following statements is true about using the Cisco SDM VPN Wizard? (Choose one.)
A. You cannot configure to the same level of granularity as with the CLI.

B. There is no SDM item to test the VPN once it is created, and you must use the CLI to generate traffic to launch the VPN.

C. You can test the VPN once it is created and use the SDM to generate traffic to launch the VPN if needed.

D. The SDM cannot create a site-to-site VPN. This must be accomplished through the CLI, though a new version of the SDM is planned that will have wizards to accomplish this task.

E. None of the above.

Answer: is C. One of the strengths of the SDM is that you can perform all the configuration tasks for a VPN with the SDM wizards. For comprehensive troubleshooting, Cisco recommends using certain CLI commands, but the SDM wizard can generate traffic in order to launch the VPN.
Question. An IPsec tunnel is negotiated within the protection of which type of tunnel?
A. L2TP tunnel
B. L2F tunnel
C. GRE tunnel
D. ISAKMP tunnel
Answer: D
Question. What component of an IPsec configuration identifies “interesting” traffic—traffic that should be protected within the IPsec tunnel?
A. Transform set
B. ISAKMP policy
C. ACL
D. Diffie-Hellman group
Answer: D
Question. Which command is used to specify Diffie-Hellman group 2 as part of an IKE Phase 1 configuration?
A. group 2
B. diffie-hellman 2
C. df group 2
D. pre-share group 2
Answers: A
Question. What three parameters do you configure when using the Cisco SDM Quick Setup Siteto-Site VPN wizard? (Choose three.)
a. Interface for the VPN connection
b. IP address for the remote peer
c. Transform set for the IPsec tunnel
d. Source interface where encrypted traffic originates
Answers: A, B, and D
Question. What command displays all existing IPsec security associations (SA)?
A. show crypto isakmp sa
B. show crypto ipsec sa
C. show crypto ike active
D. show crypto sa active
Answer: B
Question. From what configuration mode would you enter the set peer ip-address command to specify the IP address of an IPsec peer?

A. Transform set configuration mode
B. Crypto map configuration mode
C. ISAKMP configuration mode
D. Interface configuration mode

Answer: B
Question. To what entity is a crypto map applied to make the crypto map active?
A. Transform set
B. Interface
C. Virtual template
D. ISAKMP proposal
Answer: B
Question. What two site-to-site VPN wizards are available in the Cisco SDM interface? (Choose two.)
A. Easy VPN Setup
B. Quick Setup
C Step-by-Step
D. DMVPN Setup
Answers: B and C

About the author

Scott

Leave a Comment