Module 19: Quiz – Implement Site-to-Site IPsec VPNs (Answers) Network Security

1. What is defined by an ISAKMP policy?

  • the security associations that IPsec peers are willing to use
  • the IP addresses of IPsec peers
  • access lists that identify interesting traffic
  • the preshared keys that will be exchanged between IPsec peers

Explanation: The ISAKMP policy lists security associations (SAs) that an IPsec peer is willing to use to establish an IKE tunnel.

2. Which are the five security associations to configure in ISAKMP policy configuration mode?

  • Hash, Accounting, Group, Lifetime, ESP
  • Hash, Authorization, Group, Lifetime, Encryption
  • Hash, Authentication, Group, Lifetime, Encryption
  • Hash, Authentication, GRE, Lifetime, ESP

Explanation: When in ISAKMP policy configuration mode, the security associations for the IKE Phase 1 tunnel can be configured. Use the mnemonic HAGLE to remember the five security associations to configure:

  • Hash
  • Authentication
  • Group
  • Lifetime​
  • Encryption

3. What command or action will verify that a VPN tunnel has been established?

  • Issue a show ip interface command.
  • Issue a show crypto map command.
  • Issue a show crypto isakmp sa command.
  • Send interesting traffic from the VPN router interface.

Explanation: To verify that tunnels have been established, use the show crypto isakmp sa or show crypto ipsec sa commands. Sending interesting traffic does not actually mean that the tunnels are established. The show crypto map command is used to verify the crypto map configuration.

4. What three protocols must be permitted through the company firewall for establishment of IPsec site-to-site VPNs? (Choose three.)

  • AH
  • ESP
  • NTP
  • SSH

Explanation: ESP, AH, and ISAKMP must all be permitted through the perimeter routers and firewalls in order for IPsec site-to-site VPNs to be established. NTP and HTTPS are application protocols and are not required for IPsec.

5. Refer to the exhibit. The ISAKMP policy for the IKE Phase 1 tunnel was configured, but the tunnel does not yet exist. Which action should be taken next before IKE Phase 1 negotiations can begin?​

  • Configure the set of encryption and hashing algorithms that will be used to transform the data sent through the IPsec tunnel.
  • Configure an ACL to define interesting traffic.
  • Configure the IPsec tunnel lifetime.
  • Bind the transform set with the rest of the IPsec policy in a crypto map.

Explanation: Although the ISAKMP policy for the IKE Phase 1 tunnel is configured, the tunnel does not yet exist as verified with the show crypto isakmp sa command. Interesting traffic must be detected before IKE Phase 1 negotiations can begin. To define interesting traffic, each router has to be configured with an ACL to permit traffic from the local LAN to the remote LAN.​

6. What is negotiated in the establishment of an IPsec tunnel between two IPsec hosts during IKE Phase 1?

  • interesting traffic
  • transform sets
  • ISAKMP SA policy
  • DH groups

Explanation: Establishing an IPsec tunnel involves five steps:

  • Detection of interesting traffic defined by an ACL
  • IKE Phase 1 in which peers negotiate ISAKMP SA policy
  • IKE Phase 2 in which peers negotiate IPsec SA policy
  • Creation of the IPsec tunnel
  • Termination of the IPsec tunnel

7. A network analyst is configuring a crypto map and has just bound the ACL and the transform set to the map, and set the IPsec tunnel lifetime. What other step completes the configuration of the crypto map?

  • Define the interesting traffic.
  • Configure the DH group.
  • Apply the map to an interface.
  • Configure the SA policy.

Explanation: To configure a crypto map, four steps need to be completed.

  • Bind the ACL and the transform set to the map.
  • Specify the peer’s IP address.
  • Configure the DH group.
  • Configure the IPsec tunnel lifetime.

8. What is the first step in establishing an IPsec VPN?

  • negotiation of ISAKMP policies
  • detection of interesting traffic
  • creation of a secure tunnel to negotiate a security association policy
  • creation of an IPsec tunnel between two IPsec peers

Explanation: Before an IPsec tunnel can be configured, interesting traffic must be detected. Interesting traffic is defined by an access list permit statement. Once interesting traffic is detected, by matching the access list, IKE phase 1 negotiations can begin that will establish the tunnel.

9. Refer to the exhibit. Given the partial output of the show version command on a router, if a network engineer wants to begin to configure an IPsec VPN, what would be the next step to take?

  • Accept the EULA and activate the security technology package.
  • Configure an ACL to define interesting traffic.
  • Configure the ISAKMP policy for IKE phase 1.
  • Configure a crypto map for the IPsec policy.

Explanation: Based on the partial output shown, the router software already includes ipbasek9 and securityk9. The EvalRightToUse parameter shows that the EULA license is active thereby giving access to the cryptographic features, IPsec and ISAKMP, required to create an IPsec VPN. The next step is to configure the ISAKMP policy for IKE.

10. Refer to the exhibit. How will traffic that does not match access list 101 be treated by the router?

  • It will be sent unencrypted.
  • It will be sent encrypted.
  • It will be blocked.
  • It will be discarded.

Explanation: The access list 101 is part of the crypto map configuration on the router. The purpose of the access list is to identify interesting traffic that should be sent encrypted over a VPN. Traffic that does not match the access-list is not interesting and is not sent encrypted but rather sent unencrypted in plain text.

Notify of

Inline Feedbacks
View all comments