CCNP Security VPN FAQ: Cisco VPN 3000 LAN-to-LAN with Preshared Keys

CCNP Security VPN FAQ: Cisco VPN 3000 LAN-to-LAN with Preshared Keys

Q1. What is a LAN-to-LAN connection?

Answer: A LAN-to-LAN connection is a secure connection between two LANs.

Q2. What equipment is required for a LAN-to-LAN connection?

Answer: A LAN-to-LAN connection requires any combination of concentrators, routers and firewalls.

Q3. Where can a LAN-to-LAN connection be used?

Answer: You can use a LAN-to-LAN connection

  • Across the Internet
  • Between two networks connected through a trusted network
  • Between two networks connected through a non-trusted network

Q4. When setting up network lists, how should the lists at each side of the LAN-to-LAN connection relate to each other?

Answer: They must be reflective of each other. The network lists reflect the networks that are coming into the concentrator therefore referencing the network on the opposite side of where the network list is configured.

Q5. You attempted to configure a LAN-to-LAN connection, but cannot see a specific network on one side of the connection. What is the most likely problem?

Answer: Most likely, the network is missing from the network list on one of the concentrators.

Q6. What routing protocol is used for Autodiscovery?

Answer: RIP is used for Autodiscovery.

Q7. What is an identity certificate?

Answer: The identity certificate is used to uniquely identify a specific network device.

Q8. What is the advantage of using SCEP?

Answer: SCEP simplifies the process of obtaining and installing certificates.

Q9. What are critical items when using any certificates?

Answer: The date and time on the device are the most critical items when using any certificates.

Q10. Order the steps for using a certificate:
1. Issue an enrollment request
2. Enroll with the CA
3. The enrollment request is accepted
4. Install the Certificate
5. Configure the concentrator to use the Certificate

Answer: 2, 1, 3, 4, 5

Q11. You want to use SCEP to enroll an identity certificate. How must the associated CA certificate be obtained?

Answer: The CA certificate must be obtained using SCEP.

Q12. What are the default directory and filename for the DLL used with SCEP?

Answer: The default filename is mscep.dll; The default directory is certserv.

Q13. What are the three major steps involved in using digital certificates for a LAN-to-LAN connection?

Answer: Configure the LAN-to-LAN connection to use the identity certificate. Configure the LAN-to-LAN connection to use the IKE proposal. Activate the IKE proposal.

Q14. When using an identity certificate, what is the affect of entering an incorrect name in the OU field?

Answer: The group will have no access.

Q15. What three key sizes may be used with DSA when installing certificates using SCEP?

Answer: 512 bits; 1024 bits; 768 bits.

Q16. What is a LAN-to-LAN connection?

Answer: A LAN-to-LAN connection is a secure connection between two LANs.

Q17. What equipment is required for a LAN-to-LAN connection?

Answer: A LAN-to-LAN connection requires any combination of concentrators, routers and firewalls.

Q18. Where can a LAN-to-LAN connection be used?

Answer: You can use a LAN-to-LAN connection

  • Across the Internet
  • Between two networks connected through a trusted network
  • Between two networks connected through a non-trusted network

Q19. When setting up network lists, how should the lists at each side of the LAN-to-LAN connection relate to each other?

Answer: They must be reflective of each other. The network lists reflect the networks that are coming into the concentrator therefore referencing the network on the opposite side of where the network list is configured.

Q20. You attempted to configure a LAN-to-LAN connection, but cannot see a specific network on one side of the connection. What is the most likely problem?

Answer: Most likely, the network is missing from the network list on one of the concentrators.

Q21. What routing protocol is used for Autodiscovery?

Answer: RIP is used for Autodiscovery

Q22. What is an identity certificate?

Answer: The identity certificate is used to uniquely identify a specific network device.

Q23. What is the advantage of using SCEP?

Answer: SCEP simplifies the process of obtaining and installing certificates.

Q24. What are critical items when using any certificates?

Answer: The date and time on the device are the most critical items when using any certificates.

Q25. Order the steps for using a certificate:
1. Issue an enrollment request
2. Enroll with the CA
3. The enrollment request is accepted
4. Install the Certificate
5. Configure the concentrator to use the Certificate

Answer: 2, 1, 3, 4, 5

Q26. You want to use SCEP to enroll an identity certificate. How must the associated CA certificate be obtained?

Answer: The CA certificate must be obtained using SCEP.

Q27. What are the default directory and filename for the DLL used with SCEP?

Answer: The default filename is mscep.dll; The default directory is certserv.

Q28. What are the three major steps involved in using digital certificates for a LAN-to-LAN connection?

Answer: Configure the LAN-to-LAN connection to use the identity certificate. Configure the LAN-to-LAN connection to use the IKE proposal. Activate the IKE proposal.

Q29. When using an identity certificate, what is the affect of entering an incorrect name in the OU field?

Answer: The group will have no access.

Q30. What three key sizes may be used with DSA when installing certificates using SCEP?

Answer: 512 bits; 1024 bits; 768 bits.

Q31. What screen is used to configure Network Autodiscovery?

Answer: The Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Modify is used to set Network Autodiscovery.

Q32. You have two VPN Concentrators—one in Seattle, the other in London—used for connecting the two offices through VPNs. The Seattle office cannot reach one subnet attached to the London office. You have checked your network lists on the Seattle concentrator. You are sure that the “missing” network is properly configured. What is the most likely problem?

Answer: Because the network lists must be reflexive, both sets of network lists must be checked. The next item to check is the network lists on the London concentrator

Q33. You are using Network Autodiscovery. You do not see a single remote network that is connected through a series of routers to your remote concentrator. Where should your troubleshooting efforts be directed?

Answer: Because Network Autodiscovery relies on the RIP protocol, the first place to look is in the RIP tables. Is RIP enabled on the interface? Is this network advertised? Are you filtering the RIP Protocol somewhere along the way? Is the network so far away that it exceeds the RIP hop count limit?

Q34. You are using SCEP. Your junior assistant has configured the system. You have established a VPN connection to the remote site, but your remote group does not have access to your network. What is a probable cause?

Answer: The OU (Organizational Unit) must match your IPSec group name. If they are different, the VPN will be established, but the group that connects over this connection will be different than the expected group. The connected group will not have any access.

Q35. You are using SCEP. You are trying to enroll a certificate. Your concentrator shows that it is polling. It has been in this state for over an hour. What is the most likely cause?

Answer: Because enrolling certificates is a manual process on most systems, the most probable cause is that the administrator on the certificate server has failed to issue the certificate. Contact the administrator to find out the status of the certificate.

Q36. What screen is used to determine the IKE proposal used for a LAN-to-LAN connection?

Answer: The Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Modify screen is used to determine which IKE proposal is used for a LAN-to-LAN connection.

Q37. What is the purpose of the challenge password on the Administration | Certificate Management | Enroll | Identity Certificate | SCEP screen?

Answer: The challenge password may be required by the certificate server. The server uses this password to ensure that certificates are not issued without proper authentication.
10-1

Q38. You wish to use Network Autodiscovery because it sounds easier. How are the networks learned and how do you ensure that only specific networks are included?

Answer: Autodiscovery relies on the RIP protocol. Autodiscovery will advertise all of the networks learned through RIP. When using Autodiscovery, you must limit what networks are advertised to the Concentrator. Therefore, if you wish to limit the networks seen, you must limit the RIP advertisements that are broadcast by the routers connected to the interior interface of the Concentrator. There are no provisions for limiting the networks learned within the Concentrator configuration. You must also ensure that RIP is enabled on the interface within the Configuration | Interfaces screen.

Q39. What are the differences between a root certificate, a subordinate certificate, and an identity certificate?

Answer: A certificate signed by itself is called a self-signing or root certificate. When one certificate issues another, the issued certificate is referred to as a subordinate certificate. A subordinate certificate can never issue another certificate. An identity certificate is used to authenticate a specific host on a network, while root and subordinate certificates may be used on a group of hosts within a network.

Q40. What are the maximum numbers of certificates that may be used on concentrators?

Answer: The maximum number varies by model. On the 3005 a total of 6 root or subordinate certificates may be used, with a maximum of two identity certificates. On other concentrator models a total of 20 root or subordinate certificates and 20 identity certificates may be used. On all models, only a single SSL can be used.

About the author

Scott

Leave a Comment