IPSec VPN Flashcards

1
Q

What are the suite of protocols used in IPSec?

A

Internet Key Exchange
Authentication Header
Encapsulating Security Payload

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Does Foritnet use AH for IPSec?

A

No, because it doesn’t encrypt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What port and protocol number does IKE no NAT use (IPSec)

A

protocol number 17
UDP 500

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What port and protocol number does IKE NAT-T use (IPSec)

A

Protocol 17 port 4500

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What port and protocol number does ESP use (no-NAT)

A

Protocol 50 UDP port 4500

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What port and protocol number does ESP use (NAT-T

A

IP protocol 17 UDP 4500

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the two modes of IPSec?

A

Transport mode
Tunnel model - extra IP header

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

In IPsec transport mode, is the original IP header Encrypted?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In IPSec Tunnel mode is the original IP header Encrypted?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How many IKE phases are there?

A

Two

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What happens during IKE Phase 1

A

A IKE Security Association is created to help negotiate the IKE IP Sec SA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What happens During IKE Phase 2?

A

A IPSec SA is created which creates the channel for encrypting and decrypting data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

For IPSec remote users, how is FTG configured?

A

As a dial up server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does AD-VPN stand for?

A

Auto-Discovery VPN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How can peers authenticate each other in IKE Phase 1

A

PSK or Digital Signature
XAuth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How does the IKE Phase two use DH keys from phase one?

A

It uses the public key and a nonce to generate a common private key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How do you get FTG to act as a IKE mode config client

A

Enable mode config
set remote gateway to Static IP or Dynamic DNS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How do you get FTG to act as a IKE mode config server

A

Enable mode config
set remote gateway to Dialup user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the three types of options for configuring a remote gateway IPSec VPN?

A

Dial up user
Static IP
Dynamic User

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

When do you use the Dial up user remote gateway?

A

When the remote client or gateway IP Address is not known, Can be for VPN Client or remote gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

When do you use Static IP or Dynamic DNS for IPSec Remote Gateway

A

When you know the IP address of the remote peer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Can both gateways be configured as dialup users?

A

No, one has to be a server.

23
Q

What does mode config on FGT causes to do?

A

FTG, acting as a dial-up server, pushes network settings to dial-up clients

24
Q

Does mode config need to be enabled on both peers for IPSec?

A

Yes

25
Q

Does ESP support NAT be default?

A

No, it does not use port numbers to track different tunnels.

26
Q

What happens when NAT-T detects NAT?

A

Both ESP and IKE use UDP port 4500

27
Q

What does NAT traversal set to forced do?

A

It will always use UDP port 4500 even if there is no NAT.

28
Q

What does mode config do when enabled?

A

Assigns an IP address, netmask, and DNS server to the client

29
Q

What is DPD

A

Dead peer detection

30
Q

What are the three DPD modes

A

On Demand, On Idle and disabled

31
Q

What DPD On Demand Mode?

A

FTG sends a DPD probes if it detects there is only outbound traffic and no inbound. (default mode)

32
Q

What is DPD On Idle mode?

A

DPD sent when no traffic on the the tunnel is observed. Resource intensive so use with few tunnels

33
Q

What is DPD disabled mode

A

FTG only replies to DPD packets but does not send them.

34
Q

Which IKE mode is considered more secure and why?

A

Main mode, because the pre-shared key hash is exchanged encrypted

35
Q

What IKE mode is considered faster?

A

Aggressive, it only uses three packets.

36
Q

Can IKE Main mode support peer ID check?

A

no, Aggressive mode should be used as it sends peer ID in first packet.

37
Q

IPSec Phase 1 proposal, what is the default key lifetime?

A

86400

38
Q

What must be negotiated in IPSec phase 1?

A

Encryption, Authentication, DH Group.

39
Q

When you use XAUTH how do you select which user group to use>

A
  1. Inherit from policy: users are pulled from the match IPSec policy.
  2. Choose, specify the user group
40
Q

What is Perfect Forward Secrecy?

A

FTG uses DH to generate new keys each time phase 2 expires.

41
Q

What is the encryption domain

A

It’s interesting traffic, that you want to protect with the tunnel and is determined by phase 2 tunnel.

42
Q

What types of Phase 2 selectors are there>

A

Local Address and Remote Address
Protocol number
Local port and remote port

43
Q

Do you need to configure an Phase 2 proposal for each selector?

A

yes, one or more proprosal

44
Q

Does CHACHA20POLY1305 support NPU offload?

A

No

45
Q

True or false 3DES is not much more resource intensive setting then DES or AES

A

False. it is more intensive.

46
Q

What is enable relay detection for IPSec?

A

Detects replay attacks

47
Q

Do you have to have match lifetime thresholds for a tunnel to come up?

A

no, FTG will use the lower threshold.

48
Q

What does auto-negotiate prevent?

A

The tunnel from going down to renegotiate the SA

49
Q

T or F: Auto-negotiate brings the tunnel up and stays up even with no interesting traffic

A

True

50
Q

What are the two types of IPsec VPNs>

A

Route based
Policy based

51
Q

What is a route-based IPSec VPN

A

A virtual interface for each VPN is created.

52
Q

What other types of VPN use if you use route-based IPsec VPNs?

A

L2TP-over-IPsec
GRE-over-IPsec
Dynamic routing protocols

53
Q

Should you enable DPD in a redundant VPN

A

YES

54
Q
A