Implementing IPSec Site-to-Site VPNs Flashcards
Name three things that can be part of both an IKE Phase 1 and IKE Phase 2 policy?
MD5, AES, Diffie-Hellman (DH)
How is it possible that a packet with a private Layer 3 destination address is forwarded over the Internet?
It is encapsulated into another packet, and the Internet only sees the outside valid IP destination address
What is the method for specifying the IKEv1 Phase 2 encryption method?
crpyto ipsec transform-set
Which method potentially could be negotiated during IKEv1 Phase 2?
Hashing, DH group, Encryption
Which of the DH groups is the most prudent to use when security is of the utmost importance?
5
Name three things that are part of an IKEv1 Phase 2 process?
Specifying a hash (HMAC), Running DH (PFS), Negotiating the transform set to use
Which encryption method is used to protect the negotiation of the IPSec (IKE v1 Phase2) tunnel?
The one that is negotiated in the ISAKMP policy
What is the most secure method for authentication of IKE Phase 1?
RSA signatures, using digital certificates to exchange public keys
What component is not placed directly in a crypto map?
Authentication policy
What would cause a VPN tunnel using IPSec to never initialize or work correctly?
Incompatible IKEv1 Phase 2 transform set, Incorrect pre-shared key or missing digital cert, Lack of interesting traffic, Incorrect routing
What IKE versions are supported by the Cisco ASA?
IKEv1, IKEv2, IKEv3, IKEv4
What is the purpose of NAT exemption?
To bypass NAT for traffic in the VPN tunnel
What commands are useful when troubleshooting VPN problems in the Cisco ASA?
show isakmp sa detail, debug crypto ikev1 | ikev2, show crypto ipsec sa detail, show vpn-sessiondb
The Cisco ASA cannot be configured with more than one IKEv1 or IKEv2 policy?
False
