Config Router

You are here: Home / Cisco / CCNP Security VPN FAQ: Overview of VPN and IPSec Technologies

CCNP Security VPN FAQ: Overview of VPN and IPSec Technologies

by

CCNP Security VPN FAQ: Overview of VPN and IPSec Technologies

Question. Which Cisco hardware product families support IPSec VPN technology?

Answer: Cisco IOS routers, PIX Firewalls, and VPN 3000 Series Concentrators, including the VPN 3002 Hardware Client, support IPSec VPN technology

Question. What are the two IPSec protocols?

Answer: The two IPSec protocols are Authentication Header (AH) and Encapsulating Security Payload (ESP)

Question. Which type of VPNs use a combination of the same infrastructures that are used by the other two types of VPNs?

Answer: Business-to-business, or extranet, VPNs use a combination of the same infrastructures that are used by remote access and intranet VPNs.
2-1

Question. Which of the Cisco VPN 3000 Series Concentrators is a fixed-configuration device?

Answer: The Cisco VPN 3005 Concentrator is a fixed-configuration system that supports up to 100 simultaneous sessions.

Question. What key element is contained in the AH or ESP packet header?

Answer: The key element contained in each protocol’s header is the Security Parameters Index (SPI), giving the destination peer the information that it needs to authenticate and decrypt the packet.

Question. What are the two modes of operation for AH and ESP?

Answer:AH and ESP use Transport and Tunnel modes. In Transport mode, the original IP packet header is left intact and is not protected by IPSec. In Tunnel mode, the original IP packet header is copied and the entire original IP packet is then protected by AH or ESP.

Question. How many Security Associations (SAs) does it take to establish bidirectional IPSec communications between two peers?

Answer:It takes three SAs to establish bidirectional IPSec communications between two peers. IPSec SAs are simplex, so it takes one for each direction for IKE Phase 2. IKE SAs are bidirectional, so you only need one of those to complete IKE Phase 1.

Question. What is a message digest?

Answer: A message digest is a condensed representation of a message of a fixed length, which depends on the hashing algorithm used.

Question. Which current RFCs define the IPSec protocols?

Answer: There are two IPSec protocols, AH and ESP. AH is now defined by RFC 2402. ESP is now defined by RFC 2406. Their original RFCs were 1826 and 1827, respectively.

Question. What message integrity protocols does IPSec use?

Answer: IPSec uses Message Digest 5 (MD5), Secure Hash Algorithm-1 (SHA-1), and HashBased Message Authentication Code (HMAC) as hashing protocols to provide message integrity.

Question. What is the triplet of information that uniquely identifies a security association?

Answer: The combination of the destination IP address, the IPSec protocol, and the SPI
uniquely identifies a security association.

Question. You can select to use both authentication and encryption when using the ESP protocol. Which is performed first when you do this?

Answer: If you select to use both ESP authentication and encryption, encryption is performed first. This allows authentication to be done with the assurance that the sender does not alter the datagram before transmission and the receiver can authenticate the datagram before decrypting the package.

Question. What five parameters are required by IKE Phase 1?

Answer: IKE Phase 1 needs to know the following five parameters:
A. Encryption algorithm
B. Hashing algorithm
C. Authentication method
D. Key exchange method
E. IKE SA lifetime

Question. What is the difference between the deny keyword in a crypto Access Control List (ACL) and the deny keyword in an access ACL?

Answer: In an access ACL, the deny keyword tells the network device to drop the packet. In a crypto ACL, the deny keyword tells the network device to pass the traffic in the clear without the benefit of IPSec security.

Question. What transform set would allow SHA-1 authentication of both AH and ESP packets and would also provide Triple Data Encryption Standard (3DES) encryption for ESP?

Answer: The transform set that would allow 3DES for ESP and SHA-1 for both is ah-shahmac esp-3des esp-sha-hmac.

Question. What are the five steps of the IPSec process?

Answer: The five steps of the IPSec process are as follows:
A. Interesting traffic triggers IPSec process.
B. Authenticate peers and establish IKE SAs (IKE Phase 1).
C. Establish IPSec SAs (IKE Phase 2).
D. Allow secured communications.
E. Terminate VPN.

Question. What are the Cisco hardware product families that support IPSec VPN technology?

Answer: Cisco IOS Software routers, PIX Firewalls, and VPN 3000 Series Concentrators, including the VPN 3002 Hardware Client, support IPSec VPN technology

Question. What are the two IPSec protocols?

Answer: The two IPSec protocols are Authentication Header (AH) and Encapsulating Security Payload (ESP).

Question. What are the three major VPN categories?

Answer: The three major VPN categories are remote access, intranet (site-to-site), and extranet (business-to-business).

Question. What is an SEP module used for?

Answer: Scalable Encryption Processing (SEP) modules are used with Cisco VPN 3030, 3060, and 3080 Concentrators to provide hardware-based encryption services.

Question. What are the primary reasons cited for choosing VPN technology?

Answer: Security and reduced cost are most often cited as the reasons for selecting VPN technology.

Question. Why are remote access VPNs considered ubiquitous?

Answer: Remote access VPNs are considered ubiquitous because they can be established any time from practically anywhere over the Internet.

Question. What types of VPNs are typically built across service provider shared network infrastructures?

Answer: Site-to-site, or intranet, VPNs are typically built across service provider shared network infrastructures, such as Frame Relay, ATM, or point-to-point circuits.

Question. Which type of VPNs use a combination of the same infrastructures that are used by the other two types of VPNs?

Answer: Business-to-business, or extranet, VPNs use a combination of the same infrastructures that are used by remote access and intranet VPNs.

Question. What hardware would you use to build intranet and extranet VPNs?

Answer: Cisco IOS Software routers are the best choice for intranet and the site-to-site portion of extranet VPNs. VPN encryption modules in these devices can provide powerful platforms for supporting VPNs between sites.

Question. Which Cisco routers provide support for Cisco EzVPN Remote?

Answer: The Cisco router models that support Cisco EzVPN Remote include Models 827H, uBR905, 806, 1710, and 1700. Of these, the 827H and the 806 offer support only for EzVPN Remote. The others also provide support for EzVPN Server.

Question. Which Cisco router series supports VAMs?

Answer: The Cisco 7200 Router Series supports VPN Acceleration Modules (VAMs) to enhance VPN support characteristics on the router.

Question. Which Cisco router series supports ISMs?

Answer: The Cisco 7100 Router Series supports Integrated Services Modules (ISMs) to expand the VPN capabilities of the router.

Question. Which of the Cisco PIX Firewall models are fixed-configuration devices?

Answer: The Cisco PIX 501 Firewall and the Cisco PIX 506E Firewall models are fixedconfiguration devices.

Question. Which Cisco PIX Firewall models offer a failover port for high availability and support VACs?

Answer: The three high-end models of the PIX Firewall have a failover port and support VPN Accelerator Cards (VACs). Those models are the Cisco PIX 515E Firewall, the Cisco PIX 525 Firewall, and the Cisco PIX 535 Firewall.

Question. Which series of Cisco hardware devices are purpose-built remote access VPN devices?

Answer: The Cisco VPN 3000 Series Concentrators were designed specifically to support remote access VPN services.

Question. Which of the Cisco VPN 3000 Series Concentrators is a fixed-configuration device?

Answer: The Cisco VPN 3005 Concentrator is a fixed-configuration system that supports up to 100 simultaneous sessions.

Question. Which of the Cisco VPN 3000 Series Concentrators can accept SEP modules?

Answer: The three high-end concentrators support SEP modules. These systems are the Cisco VPN 3030 Concentrator, the 3060 Concentrator, and the 3080 Concentrator.

Question. What feature of the Cisco Unity Client makes it scalable?

Answer: The client version updates can be pushed to the user’s system from a central network site when the user makes the initial login attempt. This scalability feature relieves the burden of having to configure numerous client systems and enables a managed growth path for VPN deployment.

Question. Which of Cisco’s VPN clients can be used with any operating system that communicates in IP?

Answer: The Cisco VPN 3002 Hardware Client enables any user device that communicates in IP to access an IPSec tunnel. Operating systems such as Windows, Solaris, MAC, and Linux can all participate in IPSec secure communications using these devices.

Question. What protocol enables IP-enabled wireless devices such as PDAs and Smart Phones to participate in VPN communications?

Answer: The Elliptic Curve Cryptosystem (ECC) Protocol permits IP-enabled wireless devices to participate in VPN communications. All Cisco VPN 3000 Series Concentrators support ECC, which is a new Diffie-Hellman group that allows faster processing of keying information.

Question. What are the three phases of Cisco Mobile Office?

Answer: The three phases of Cisco Mobile Office are On The Road, At Home, and At Work

Question. What is the distinctive characteristic of Cisco VPN Device Manager?

Answer: Cisco VPN Device Manager is an embedded device manager that is installed directly into a supporting router’s flash memory

Question. What is Cisco’s AAA server, and what AAA systems does it support?

Answer: The Cisco Secure Access Control Server (ACS) is Cisco’s Authentication, Authorization, and Accounting (AAA) server. This device supports both Terminal Access Controller Access Control System Plus (TACACS+) and Remote Authentication Dial-In User Service (RADIUS).

Question. Which web-based management tool can display a physical representation of each managed device?

Answer: CiscoView is the web-based management tool that displays a physical representation of each managed device. Modules, ports, and indicators are depicted with color coding to indicate the current, dynamically updated status of the element.

Question. What are the current RFCs that define the IPSec protocols?

Answer: There are two IPSec protocols, Authentication Header (AH) and Encapsulating Security Payload (ESP). AH is defined by RFC 2402. ESP is defined by RFC 2406. Their original RFCs were 1826 and 1827, respectively.

Question. What are three shortcomings of IPSec?

Answer: Any of the following are shortcomings of IPSec:
A. IPSec does not support DLSw or SRB.B. IPSec does not support multipoint tunnels.C. IPSec works strictly with unicast IP datagrams only. It does not work with multicast or broadcast IP datagrams.D. IPSec is slower than Cisco Encryption Technology (CET) because IPSec provides per-packet data authentication.E. IPSec provides packet expansion that can cause fragmentation and reassembly of IPSec packets, creating another reason that IPSec is slower than CET.

Question. What message encryption protocols does IPSec use?

Answer: IPSec uses Data Encryption Standard (DES) and Triple DES (3DES) encryption protocols.

Question. What message integrity protocols does IPSec use?

Answer: IPSec uses Message Digest 5 (MD5), Secure Hash Algorithm-1 (SHA-1), and Hashbased Message Authentication Code (HMAC) as hashing protocols to provide message integrity.

Question. What methods does IPSec use to provide peer authentication?

Answer: Three methods are available to IPSec for peer authentication: preshared keys, RSA digital signatures, and RSA encrypted nonces.

Question. What methods does IPSec use for key management?

Answer: IPSec uses Certificate Authorities (CAs) and the Diffie-Hellman key exchange process for key management.

Question. What is the key element contained in the AH or ESP packet header?

Answer: The key element contained in each protocol’s header is the SPI, giving the destination peer the information it needs to authenticate and decrypt the packet.

Question. Which IPSec protocol does not provide encryption services?

Answer: Authentication Header (AH) does not provide encryption services. AH packets are sent as clear text.

Question. What is the triplet of information that uniquely identifies a Security Association?

Answer: The combination of the destination IP address, the IPSec protocol, and the Security Parameters Index (SPI) uniquely identifies a Security Association (SA).

Question. What is an ICV?

Answer: An Integrity Check Value (ICV) is a calculated representation of the immutable contents of an IPSec packet. Each peer calculates this value for the packet independently. If the values do not match, the packet is considered as having been altered in transit and the packet is discarded.

Question. What IPSec protocol must you use when confidentiality is required in your IPSec communications?

Answer: You must use ESP when confidentiality is required in your IPSec communications. ESP provides encryption; AH does not.

Question. What is the primary difference between the mechanisms used by AH and ESP to modify an IP packet for IPSec use?

Answer: AH inserts an IPSec header into the packet containing the SPI and other related information. ESP encapsulates the original IP packet or the data portion of that packet by surrounding it with both a header and a trailer.

Question. What are the two modes of operation for AH and ESP?

Answer: AH and ESP use Transport and Tunnel modes. In Transport mode, the original IP packet header is left intact and is not protected by IPSec. In Tunnel mode, the original IP packet header is copied and the entire original IP packet is then protected by AH or ESP.

Question. Which IPSec protocol should you use if your system is using NAT?

Answer:AH does not support Network Address Translation (NAT) because changing the source IP address in the IP header causes authentication to fail.

Question. You can select to use both authentication and encryption when using the ESP protocol. Which is performed first when you do this?

Answer:If you select to use both ESP authentication and encryption, encryption is performed first. This allows authentication to be done with assurance that the sender does not alter the datagram before transmission and the receiver can authenticate the datagram before decrypting the package.

Question. How many SAs does it take to establish bidirectional IPSec communications between two peers?

Answer:It takes three SAs to establish bidirectional IPSec communications between two peers. IPSec SAs are simplex, so it takes one for each direction for IKE Phase 2. IKE SAs are bidirectional, so you only need one of those to complete IKE Phase 1.

Question. Which encryption protocol was considered unbreakable at the time of its adoption?

Answer:The Data Encryption Standard (DES) holds this distinction. DES was once considered such a strong encryption technique that it was barred from export from the continental United States.

Question. What process does 3DES use to obtain an aggregate 168-bit key?

Answer:Triple DES performs an encryption process, a decryption process, and then another encryption process, each with a different 56-bit key. This triple process produces an aggregate 168-bit key, providing strong encryption.

Question. What is a message digest?

Answer:A message digest (MD) is a condensed representation of a message of a fixed length,
which depends on the hashing algorithm used.

Question. What does HMAC-MD5-96 mean?

Answer:HMAC-MD5-96 is a variant of MD5 that uses a 128-bit secret key to produce a 128-bit MD. AH and ESP-HMAC only use the left-most 96 bits, placing them into the authentication field. The destination peer then calculates a complete 128-bit message digest but then only uses the left-most 96 bits to compare with the value stored in the authentication field

Question. What does HMAC-SHA1-96 mean?

Answer:HMAC-SHA1-96 is a variant of SHA-1 that produces a 160-bit message digest using a 160-bit secret key. Cisco’s implementation of HMAC-SHA1-96 truncates the 160-bit MD to the left-most 96 bits and sends those in the authentication field. The receiving peer recreates the entire 160-bit message digest using the same 160-bit secret key but then only compares the leading 96 bits against the MD fragment in the authentication field.

Question. How are preshared keys exchanged?

Answer:Preshared keys are exchanged manually, severely impacting the scalability of their use.

Question. What does the Diffie-Hellman key agreement protocol permit?

Answer:The Diffie-Hellman (D-H) key agreement protocol allows two peers to exchange a secret key without having any prior secrets. This protocol is an example of an asymmetrical key exchange process in which peers exchange different public keys to generate identical private keys.

Question. Why is D-H not used for symmetric key encryption processes?

Answer:Asymmetric key encryption processes like Diffie-Hellman are much too slow for the bulk encryption required in high-speed VPN circuits.

Question. What is a CRL?

Answer:A Certificate Revocation List (CRL) is a list of expired or voided digital certificates that a CA makes available to its customers. Clients use these CRLs during the process of authenticating a peer.

Question. What are the five parameters required by IKE Phase 1?

Answer:IKE Phase 1 needs to know the following parameters:
A. Encryption algorithm
B. Hashing algorithm
C. Authentication method
D. Key exchange method
E. IKE SA lifetime

Question. What are the valid AH authentication transforms?

Answer:There are only three valid AH authentication transforms: ah-md5-hmac, ah-sha-hmac, and ah-rfc1828.

Question. What transform set would allow for SHA-1 authentication of both AH and ESP packets and would also provide 3DES encryption for ESP?

Answer:The transform set that would allow for 3DES for ESP and SHA-1 for both is ah-sha-hmac esp-3des esp-sha-hmac.

Question. What steps should you take before you begin the task of configuring IPSec on a Cisco device?

Answer:The five preconfiguration steps are as follows:
Step 1 Establish an IKE policy.
Step 2 Establish an IPSec policy.
Step 3 Examine the current configuration.
Step 4 Test the network before IPSec.
Step 5 Permit IPSec ports and protocols.

Question. What are the five steps of the IPSec process?

Answer:The five steps of the IPSec process are as follows:
Step 1 Interesting traffic triggers IPSec process.
Step 2 Authenticate peers and establish IKE SAs (IKE Phase 1).
Step 3 Establish IPSec SAs (IKE Phase 2).
Step 4 Allow secured communications.
Step 5 Terminate VPN

Question. What is the difference between the deny keyword in a crypto ACL and the deny keyword in an access ACL?

Answer:In an access ACL, the deny keyword tells the network device to drop the packet. In
a crypto ACL, the deny keyword tells the network device to pass the traffic in the
clear without the benefit of IPSec security.