CCNP Security FAQ : Virtual Private Networks

CCNP Security FAQ : Virtual Private Networks

Q1. Which type of encryption is stronger?
A. Group 2 Diffie-Hellman
B. AES-128
C. 3DES
D. AES-192
E. DES

Answer: D

Q2. Which service uses UDP port 500?
A. IPSec
B. OAKLEY
C. IKE
D. None of these answers are correct

Answer: C

Q3. Which service uses TCP port 50?
A. aIKE
B. AH
C. OAKLEY
D. ESP
E. None of these answers are correct

Answer: E

Q4. What is the size of the output for a MD5 hash?
A. There is no fixed size.
B. 256 bits
C. 255 bits
D. 128 bits
E. None of these answers are correct

Answer: D

Q5. What is the most scalable VPN solution?
A. Manual-IPSec with CAs
B. IKE using OAKLEY
C. IKE using CAs
D. CAs using preshared keys
E. None of these answers are correct

Answer: C

Q6. What is the function of the access list with regard to VPNs?
A. It tells the Security Appliance what traffic should be allowed.
B. It tells the Security Appliance what traffic should be encrypted.
C. It tells the Security Appliance what traffic should be denied.
D. None of these answers are correct.

Answer: B

Q7. What is the configuration value for the unlimited ISAKMP phase 1 lifetime?
A. Unlim
B. 99999
C. 86400
D. 19200
E. 0

Answer: E

Q8. The X509v3 standard applies to which standard or protocol?
A. Authentication Header format
B. ESP header format
C. Digital certificates
D. Diffie-Hellman negotiation
E. AES encryption

Answer: C

Q9. What are three types of VPNs?
A. Hardware, software, and concentrator
B. Manual, dynamic, and very secure
C. Dialup, cable, and LAN
D. Access, intranet, and extranet
E. Internet, extranet, and dialup

Answer: D

Q10. What command will allow you to watch the IKE negotiations?
A. debug isakmp sa
B. debug crypto isakmp
C. view isakmp neg
D. view crypto isakmp
E. debug isakmp crypto

Answer: B

Q11. What features of WebVPNs differ from IPSec VPNs?
A. WebVPNs are clientless.
B. WebVPNs allow port forwarding.
C. WebVPNs securely accesses e-mail systems.
D. WebVPNs are supported only by ASA 55X0 firewalls.
E. None of these answers are correct

Answer: A, B, and C

Q12. Why is manual-ipsec not recommended by Cisco?

Answer: The session keys are manually coded and never change

Q13. What is the difference between an access VPN and an intranet VPN?

Answer: Access VPNs require VPN client software on the remote machine and intranet VPNs do not.

Q14. Which hash algorithm is configured by default for phase 1?

Answer: SHA-1

Q15. What are the two methods of identifying SA peers?

Answer: By IP address or host name

Q16. What happens if you have different ISAKMP policies configured on your potential SA peers, and none of them match?

Answer: They will not be able to negotiate the connection.

Q17. Where do you define your authentication method?

Answer: isakmp policy

Q18. What authentication types are supported for e-mail proxy services?

Answer:

  • AAA
  • certificate
  • mailhost
  • piggyback

Q19. What is the default lifetime if not defined in isakmp policy?

Answer: 86,400 seconds

Q20. Do your transform sets have to match exactly on each peer?

Answer: No, the peers will continue to go through the transforms until they find a match. If there is no match, they will be unable to negotiate the connection.

Q21. What is the difference between the isakmp lifetime and the crypto map lifetime?

Answer: isakmp lifetime initiates a renegotiation of IKE based on time only; the crypto map lifetime initiates a renegotiation of the IPSec SA based on time or the amount of traffic the passes through the connection (in kilobytes).

Q22. What command do you use to delete any active SAs?

Answer: clear crypto isakmp sa

Q23. What is the command for defining a preshared key?

Answer: isakmp keystring address peer-address netmask peer netmask

Q24. What is the first thing you should check if you are unable to establish a VPN?

Answer: You should verify connectivity prior to attempting to establish the VPN. If you have connectivity but cannot establish the VPN, you should verify that the configuration of the peers matches.

Q25. What commands are required to enable file browsing on a WebVPN connection?

Answer: functions file-browsing

Q26. What is the command to apply an access list to a crypto map?

Answer: crypto map map-name seq-num match address acl-name

Q27. What is the difference between ESP and AH?

Answer: AH does only header authentication; ESP can perform authentication of the header and the data as well as encryption

More Resources

About the author

Scott

Leave a Comment