CCNA Security FAQ: Virtual Private Networks with IPsec
Question. True or false. Site-to-site IPsec VPNs are an evolution of dial-up networking.
Question. Which of the following is not considered a feature that can be configured as part of an IPsec VPN? (Choose all that apply.)
A. Authorization
B. Auditing
C. Confidentiality
D. Integrity
E. Authentication
A. Transmission mode
B. Transport mode
C. Transparent mode
D. Tunnel mode
A. Feature license
B. Encryption license
C. Platform license
D. Expansion license
A. 3DES
B. SHA
C. AES
D. MD5
Question. What are two disadvantages of Cisco IOS SSL VPNs when compared with IPsec VPNs?
A. Hardware-only. The solution is implemented in hardware on either the VPN gateway or the client making the solution Cisco-proprietary.
B. Software-only. The solution is implemented in software on the VPN gateway and client.
C. Cryptographic security. Does not support the same level of encryption security as IPsec.
D. Incompatibility. Creating rules to allow SSL VPN traffic over intermediate routers and other gateways is difficult.
E. None of the above.
Question. Fill in the following table with the letter corresponding to the most correct answer for devices’ role in the context of remote-access and site-to-site VPNs. (The same letter can be used more than once.)
VPN Type
Choices:
A. Primary role
B. Secondary role
C. Complements firewall role
D. Yes, but IT Security manages the VPN
E. Supports VPN 3000 Series Concentrator features
VPN Type
Question. Which of the following list is not considered to be a VPN feature of Cisco VPN-enabled IOS routers? (Choose all that apply.)
A. Stateful Switchover (SSO)
B. AnyConnect standalone SSL VPN client
C. IPsec Stateful Failover
D. Voice and Video Enabled VPN (V3PN)
E. Cisco Easy VPN Remote
Question. Fill in the blanks in the description below with choices from the list. (A choice may only be used once.)
At a high-level, IKE Phase I handles all _____ and _____ between VPN peers, whereas the main task of IKE Phase II is the transmission and _____ of data by applying confidentiality, integrity, authentication, and anti-replay services to it.
Choices:
A. Transformation
B. Authentication
C. Negotiation
D. Verification
Question. Which of the following encryption algorithms (ciphers) is supported on VPN-enabled Cisco IOS routers? (Choose all that apply.)
A. Blowfish
B. DUAL
C. SEAL
D. 3DES
E. AES
F. RSA
Question. Fill in the blanks in the paragraph below with a letter corresponding to the correct choice from the list:
IKE Phase I uses a _____ to group elements together, whereas IKE Phase II groups ciphers and HMACs and other parameters in a _____.
Choices:
A. Negotiation set
B. Encryption set
C. HMAC (Hashing Media Authentication Code) set
D. Transform set
E. Policy set
Question. Which of the following is true about a crypto map? (Choose all that apply.)
A. You can only have one crypto map per interface.
B. You can only have one crypto map per router.
C. A single crypto map can support multiple peers.
D. A single crypto map can support only one peer.
E. Crypto maps group all the policy elements of a transform set.
A. Headend VPN device
B. VPN access device
C. Tunnel
D. Broadband service
A. Confidentiality
B. Integrity
C. Authentication
D. Authorization
A. Main mode
B. Quick mode
C. Aggressive mode
D. Promiscuous mode
Question. Which of the following statements is true about using the Cisco SDM VPN Wizard? (Choose one.)
A. You cannot configure to the same level of granularity as with the CLI.
B. There is no SDM item to test the VPN once it is created, and you must use the CLI to generate traffic to launch the VPN.
C. You can test the VPN once it is created and use the SDM to generate traffic to launch the VPN if needed.
D. The SDM cannot create a site-to-site VPN. This must be accomplished through the CLI, though a new version of the SDM is planned that will have wizards to accomplish this task.
E. None of the above.
A. L2TP tunnel
B. L2F tunnel
C. GRE tunnel
D. ISAKMP tunnel
A. Transform set
B. ISAKMP policy
C. ACL
D. Diffie-Hellman group
A. group 2
B. diffie-hellman 2
C. df group 2
D. pre-share group 2
a. Interface for the VPN connection
b. IP address for the remote peer
c. Transform set for the IPsec tunnel
d. Source interface where encrypted traffic originates
A. show crypto isakmp sa
B. show crypto ipsec sa
C. show crypto ike active
D. show crypto sa active
A. Transform set configuration mode
B. Crypto map configuration mode
C. ISAKMP configuration mode
D. Interface configuration mode
A. Transform set
B. Interface
C. Virtual template
D. ISAKMP proposal
A. Easy VPN Setup
B. Quick Setup
C Step-by-Step
D. DMVPN Setup