CCSP SECUR FAQ : Building a VPN Using IPSec
Q1. What is the purpose of the intranet VPN?
A. For dialup users to access the intranet
B. For business partners to trade data
C. To securely interconnect business locations
D. To allow access to the intranet server
E. None of the above
Q2. What should you be most aware of when using the debug crypto isakmp command?
A. The command generates traffic that could bring the VPN down.
B. The command generates a tremendous amount of output.
C. The command should only be used in high-traffic environments.
D. The command resets your IKE SAs.
E. This is not a valid command.
Q3. What are two methods of peer authentication used with IKE? (Choose two.)
A. RSA digitized signatures
B. RSA-encrypted nonces
C. TACACS+
D. Diffie-Hellman signatures
E. Preshared keys
Q4. What command tells you the state of your connection to your IKE SA peer?
A. show crypto sa
B. show sa peer ipsec
C. show ipsec peer sa
D. show crypto isakmp sa
E. show crypto ipsec sa
Q5. Diffie-Hellman Key Exchange is a public key cryptography protocol. Group 1 consists of -bit encryption.
A. 168
B. 1024
C. 768
D. 128
E. 1536
Q6. What UDP port cannot be blocked on the perimeter router for IKE to function?
A. 443
B. 500
C. 505
D. 1521
E. None of the above
Q7. What steps are required to configure IKE on the router?
A. Enable IKE, configure preshared key, create the IKE policy, and verify the IKE configuration.
B. Verify connectivity, enable IKE, create the ACLs, and verify the IKE configuration.
C. Verify the IKE configuration, enable IKE, configure preshared key, and reboot the router.
D. Enter the global config mode, enter the interface config mode, enable IKE, test connectivity, and configure IKE.
Q8. What happens if you configure multiple transform sets on the router?
A. The peers do not connect.
B. The peers look for a match.
C. The router does not send clear-text data.
D. Authentication works but not encryption.
E. Only bidirectional traffic is possible.
Q9. What is the correct command syntax for configuring the IPSec SA lifetime?
A. crypto ipsec sa lifetime
B. ipsec sa time
C. crypto sa timeout
D. crypto ipsec security-association lifetime
E. None of the above
Q10. What information does the show crypto key pubkey-chain rsa give you?
A. It tells you whether the information was manually configured or extracted from a certificate.
B. It gives you the host name of the peer.
C. It provides the IP address of the peer.
D. All of the above.
E. None of the above.
Q11. What is the preferred key distribution method for configuring VPN peers?
Q12. What is DES?
Q13. Of the two hash algorithms, which is more secure?
Q14. What are the protocol numbers for ESP and AH?
Q15. Why is it a good idea to verify connectivity before attempting to configure a VPN connection?
Q16. What is a policy priority?
Q17. What is the first command you should input when creating an IKE policy?
Q18. What policy priority number has greater precedence?
Q19. What is the default timeout for the global IPSec SA lifetime?
Q20. True or False: Crypto access lists are bidirectional?
Q21. What must you do to activate a crypto map?
Q22. What does Cisco recommend about manual IPSec?
Q23. How could you find out the router host name and domain name of your peer?
Q24. What is the command for generating RSA key pairs?
More Resources