Module 18: Quiz – VPNs (Answers) Network Security

1. A network administrator is planning a VPN tunnel. Why would the engineer select main mode for IKE Phase 1?

  • It requires less configuration.
  • It is the industry standard.
  • It is quicker.
  • It is more secure.

Explanation: The two modes for IKE Phase 1 are main and aggressive. Main mode takes more time because the identity of the IKE peers are hidden from eavesdroppers. On Cisco devices, the default action for IKE authentication is to initiate main mode, but will respond to aggressive mode to a peer that has initiated aggressive mode.

2. What are the two types of VPN connections? (Choose two.)

  • site-to-site
  • leased line
  • remote access
  • Frame Relay
  • PPPoE

Explanation: PPPoE, leased lines, and Frame Relay are types of WAN technology, not types of VPN connections.

3. Which IPsec framework protocol provides data integrity and data authentication, but does not provide data confidentiality?

  • ESP
  • DH
  • AH
  • IP protocol 50

Explanation: Authentication Header (AH) is IP protocol 51 and does not provide data confidentiality. The data payload is not encrypted. Encapsulating Security Payload (ESP) is IP protocol 50 and provides data confidentiality, integrity, and authentication. The DH algorithm is used in IPsec to negotiate a shared secret key for the peers.

4. What can be used as a VPN gateway when setting up a site-to-site VPN?

  • Cisco Unified Communications Manager
  • Cisco Catalyst switch
  • Cisco AnyConnect
  • Cisco router

Explanation: A Layer 3 device, such as a Cisco router, would be used as the VPN gateway for a site-to-site VPN that connects two remote networks.

5. Which two types of VPNs are examples of enterprise-managed remote access VPNs? (Choose two.)

  • IPsec VPN
  • GRE over IPsec VPN
  • IPsec Virtual Tunnel Interface VPN
  • clientless SSL VPN
  • client-based IPsec VPN

Explanation: Enterprise managed VPNs can be deployed in two configurations:

  • Remote Access VPN – This VPN is created dynamically when required to establish a secure connection between a client and a VPN server. Remote access VPNs include client-based IPsec VPNs and clientless SSL VPNs.
  • Site-to-site VPN – This VPN is created when interconnecting devices are preconfigured with information to establish a secure tunnel. VPN traffic is encrypted only between the interconnecting devices, and internal hosts have no knowledge that a VPN is used. Site-to-site VPNs include IPsec, GRE over IPsec, Cisco Dynamic Multipoint (DMVPN), and IPsec Virtual Tunnel Interface (VTI) VPNs.

6. Which type of VPN may require the Cisco VPN Client software?

  • remote access VPN
  • site-to-site VPN

Explanation: With a remote-access VPN, the client peer may need special VPN client software installed.

7. Which protocol provides authentication, integrity, and confidentiality services and is a type of VPN?

  • AES
  • MD5
  • IPsec
  • ESP

Explanation: IPsec services allow for authentication, integrity, access control, and confidentiality. With IPsec, the information exchanged between remote sites can be encrypted and verified. Both remote-access and site-to-site VPNs can be deployed using IPsec.

8. Which IPsec security function provides assurance that the data received via a VPN has not been modified in transit?

  • authentication
  • secure key exchange
  • integrity
  • confidentiality

Explanation: Integrity is a function of IPsec and ensures data arrives unchanged at the destination through the use of a hash algorithm. Confidentiality is a function of IPsec and utilizes encryption to protect data transfers with a key. Authentication is a function of IPsec and provides specific access to users and devices with valid authentication factors. Secure key exchange is a function of IPsec and allows two peers to maintain their private key confidentiality while sharing their public key.

9. Which statement describes a feature of site-to-site VPNs?

  • The VPN connection is not statically defined.
  • Individual hosts can enable and disable the VPN connection.
  • Internal hosts send normal, unencapsulated packets.
  • VPN client software is installed on each host.

Explanation: Site-to-site VPNs are statically defined VPN connections between two sites that use VPN gateways. The internal hosts do not require VPN client software and send normal, unencapsulated packets onto the network where they are encapsulated by the VPN gateway.

10. What is a type of VPN that is generally transparent to the end user?

  • site-to-site
  • remote access
  • public
  • private

Explanation: With site-to-site VPNs, internal hosts have no knowledge that a VPN exists. Remote access VPNs support a client/server architecture, where the VPN client (remote host) gains secure access to the enterprise network via a VPN server device at the network edge. Public and private are not VPN types.

11. Which statement describes a VPN?

  • VPNs use open source virtualization software to create the tunnel through the Internet.
  • VPNs use dedicated physical connections to transfer data between remote users.
  • VPNs use virtual connections to create a private network through a public network.
  • VPNs use logical connections to create public networks through the Internet.

Explanation: A VPN is a private network that is created over a public network. Instead of using dedicated physical connections, a VPN uses virtual connections routed through a public network between two network devices.

12. What is the purpose of IKE?

  • firewall port management
  • security appliance configuration
  • VPN key management
  • key transmission

Explanation: The Internet Key Exchange (IKE) protocol is a key management protocol standard used when creating an IPsec VPN tunnel. IKE negotiates security associations (SAs) and calculates shared keys.​


Inline Feedbacks
View all comments
Would love your thoughts, please comment.x