CCNP Security FAQ : Virtual Private Networks
Q1. Which type of encryption is stronger?
A. Group 2 Diffie-Hellman
B. AES-128
C. 3DES
D. AES-192
E. DES
Q2. Which service uses UDP port 500?
A. IPSec
B. OAKLEY
C. IKE
D. None of these answers are correct
Q3. Which service uses TCP port 50?
A. aIKE
B. AH
C. OAKLEY
D. ESP
E. None of these answers are correct
Q4. What is the size of the output for a MD5 hash?
A. There is no fixed size.
B. 256 bits
C. 255 bits
D. 128 bits
E. None of these answers are correct
Q5. What is the most scalable VPN solution?
A. Manual-IPSec with CAs
B. IKE using OAKLEY
C. IKE using CAs
D. CAs using preshared keys
E. None of these answers are correct
Q6. What is the function of the access list with regard to VPNs?
A. It tells the Security Appliance what traffic should be allowed.
B. It tells the Security Appliance what traffic should be encrypted.
C. It tells the Security Appliance what traffic should be denied.
D. None of these answers are correct.
Q7. What is the configuration value for the unlimited ISAKMP phase 1 lifetime?
A. Unlim
B. 99999
C. 86400
D. 19200
E. 0
Q8. The X509v3 standard applies to which standard or protocol?
A. Authentication Header format
B. ESP header format
C. Digital certificates
D. Diffie-Hellman negotiation
E. AES encryption
Q9. What are three types of VPNs?
A. Hardware, software, and concentrator
B. Manual, dynamic, and very secure
C. Dialup, cable, and LAN
D. Access, intranet, and extranet
E. Internet, extranet, and dialup
Q10. What command will allow you to watch the IKE negotiations?
A. debug isakmp sa
B. debug crypto isakmp
C. view isakmp neg
D. view crypto isakmp
E. debug isakmp crypto
Q11. What features of WebVPNs differ from IPSec VPNs?
A. WebVPNs are clientless.
B. WebVPNs allow port forwarding.
C. WebVPNs securely accesses e-mail systems.
D. WebVPNs are supported only by ASA 55X0 firewalls.
E. None of these answers are correct
Q12. Why is manual-ipsec not recommended by Cisco?
Q13. What is the difference between an access VPN and an intranet VPN?
Q14. Which hash algorithm is configured by default for phase 1?
Q15. What are the two methods of identifying SA peers?
Q16. What happens if you have different ISAKMP policies configured on your potential SA peers, and none of them match?
Q17. Where do you define your authentication method?
Q18. What authentication types are supported for e-mail proxy services?
Answer:
- AAA
- certificate
- mailhost
- piggyback
Q19. What is the default lifetime if not defined in isakmp policy?
Q20. Do your transform sets have to match exactly on each peer?
Q21. What is the difference between the isakmp lifetime and the crypto map lifetime?
Q22. What command do you use to delete any active SAs?
Q23. What is the command for defining a preshared key?
Q24. What is the first thing you should check if you are unable to establish a VPN?
Q25. What commands are required to enable file browsing on a WebVPN connection?
Q26. What is the command to apply an access list to a crypto map?
Q27. What is the difference between ESP and AH?
More Resources