IPSec VPN

Question 1

What are the suite of protocols used in IPSec?

Answer 1

Internet Key Exchange
Authentication Header
Encapsulating Security Payload

Question 2

Does Foritnet use AH for IPSec?

Answer 2

No, because it doesn’t encrypt

Question 3

What port and protocol number does IKE no NAT use (IPSec)

Answer 3

protocol number 17
UDP 500

Question 4

What port and protocol number does IKE NAT-T use (IPSec)

Answer 4

Protocol 17 port 4500

Question 5

What port and protocol number does ESP use (no-NAT)

Answer 5

Protocol 50 UDP port 4500

Question 6

What port and protocol number does ESP use (NAT-T

Answer 6

IP protocol 17 UDP 4500

Question 7

What are the two modes of IPSec?

Answer 7

Transport mode
Tunnel model - extra IP header

Question 8

In IPsec transport mode, is the original IP header Encrypted?

Answer 8

No

Question 9

In IPSec Tunnel mode is the original IP header Encrypted?

Answer 9

Yes

Question 10

How many IKE phases are there?

Answer 10

Two

Question 11

What happens during IKE Phase 1

Answer 11

A IKE Security Association is created to help negotiate the IKE IP Sec SA

Question 12

What happens During IKE Phase 2?

Answer 12

A IPSec SA is created which creates the channel for encrypting and decrypting data.

Question 13

For IPSec remote users, how is FTG configured?

Answer 13

As a dial up server

Question 14

What does AD-VPN stand for?

Answer 14

Auto-Discovery VPN

Question 15

How can peers authenticate each other in IKE Phase 1

Answer 15

PSK or Digital Signature
XAuth

Question 16

How does the IKE Phase two use DH keys from phase one?

Answer 16

It uses the public key and a nonce to generate a common private key

Question 17

How do you get FTG to act as a IKE mode config client

Answer 17

Enable mode config
set remote gateway to Static IP or Dynamic DNS

Question 18

How do you get FTG to act as a IKE mode config server

Answer 18

Enable mode config
set remote gateway to Dialup user

Question 19

What are the three types of options for configuring a remote gateway IPSec VPN?

Answer 19

Dial up user
Static IP
Dynamic User

Question 20

When do you use the Dial up user remote gateway?

Answer 20

When the remote client or gateway IP Address is not known, Can be for VPN Client or remote gateway

Question 21

When do you use Static IP or Dynamic DNS for IPSec Remote Gateway

Answer 21

When you know the IP address of the remote peer.

Question 22

Can both gateways be configured as dialup users?

Answer 22

No, one has to be a server.

Question 23

What does mode config on FGT causes to do?

Answer 23

FTG, acting as a dial-up server, pushes network settings to dial-up clients

Question 24

Does mode config need to be enabled on both peers for IPSec?

Answer 24

Yes

Question 25

Does ESP support NAT be default?

Answer 25

No, it does not use port numbers to track different tunnels.

Question 26

What happens when NAT-T detects NAT?

Answer 26

Both ESP and IKE use UDP port 4500

Question 27

What does NAT traversal set to forced do?

Answer 27

It will always use UDP port 4500 even if there is no NAT.

Question 28

What does mode config do when enabled?

Answer 28

Assigns an IP address, netmask, and DNS server to the client

Question 29

What is DPD

Answer 29

Dead peer detection

Question 30

What are the three DPD modes

Answer 30

On Demand, On Idle and disabled

Question 31

What DPD On Demand Mode?

Answer 31

FTG sends a DPD probes if it detects there is only outbound traffic and no inbound. (default mode)

Question 32

What is DPD On Idle mode?

Answer 32

DPD sent when no traffic on the the tunnel is observed. Resource intensive so use with few tunnels

Question 33

What is DPD disabled mode

Answer 33

FTG only replies to DPD packets but does not send them.

Question 34

Which IKE mode is considered more secure and why?

Answer 34

Main mode, because the pre-shared key hash is exchanged encrypted

Question 35

What IKE mode is considered faster?

Answer 35

Aggressive, it only uses three packets.

Question 36

Can IKE Main mode support peer ID check?

Answer 36

no, Aggressive mode should be used as it sends peer ID in first packet.

Question 37

IPSec Phase 1 proposal, what is the default key lifetime?

Answer 37

86400

Question 38

What must be negotiated in IPSec phase 1?

Answer 38

Encryption, Authentication, DH Group.

Question 39

When you use XAUTH how do you select which user group to use>

Answer 39

1. Inherit from policy: users are pulled from the match IPSec policy.
2. Choose, specify the user group

Question 40

What is Perfect Forward Secrecy?

Answer 40

FTG uses DH to generate new keys each time phase 2 expires.

Question 41

What is the encryption domain

Answer 41

It’s interesting traffic, that you want to protect with the tunnel and is determined by phase 2 tunnel.

Question 42

What types of Phase 2 selectors are there>

Answer 42

Local Address and Remote Address
Protocol number
Local port and remote port

Question 43

Do you need to configure an Phase 2 proposal for each selector?

Answer 43

yes, one or more proprosal

Question 44

Does CHACHA20POLY1305 support NPU offload?

Answer 44

No

Question 45

True or false 3DES is not much more resource intensive setting then DES or AES

Answer 45

False. it is more intensive.

Question 46

What is enable relay detection for IPSec?

Answer 46

Detects replay attacks

Question 47

Do you have to have match lifetime thresholds for a tunnel to come up?

Answer 47

no, FTG will use the lower threshold.

Question 48

What does auto-negotiate prevent?

Answer 48

The tunnel from going down to renegotiate the SA

Question 49

T or F: Auto-negotiate brings the tunnel up and stays up even with no interesting traffic

Answer 49

True

Question 50

What are the two types of IPsec VPNs>

Answer 50

Route based
Policy based

Question 51

What is a route-based IPSec VPN

Answer 51

A virtual interface for each VPN is created.

Question 52

What other types of VPN use if you use route-based IPsec VPNs?

Answer 52

L2TP-over-IPsec
GRE-over-IPsec
Dynamic routing protocols

Question 53

Should you enable DPD in a redundant VPN

Answer 53

YES