IPSec VPN Flashcards
What are the suite of protocols used in IPSec?
Internet Key Exchange
Authentication Header
Encapsulating Security Payload
Does Foritnet use AH for IPSec?
No, because it doesn’t encrypt
What port and protocol number does IKE no NAT use (IPSec)
protocol number 17
UDP 500
What port and protocol number does IKE NAT-T use (IPSec)
Protocol 17 port 4500
What port and protocol number does ESP use (no-NAT)
Protocol 50 UDP port 4500
What port and protocol number does ESP use (NAT-T
IP protocol 17 UDP 4500
What are the two modes of IPSec?
Transport mode
Tunnel model - extra IP header
In IPsec transport mode, is the original IP header Encrypted?
No
In IPSec Tunnel mode is the original IP header Encrypted?
Yes
How many IKE phases are there?
Two
What happens during IKE Phase 1
A IKE Security Association is created to help negotiate the IKE IP Sec SA
What happens During IKE Phase 2?
A IPSec SA is created which creates the channel for encrypting and decrypting data.
For IPSec remote users, how is FTG configured?
As a dial up server
What does AD-VPN stand for?
Auto-Discovery VPN
How can peers authenticate each other in IKE Phase 1
PSK or Digital Signature
XAuth
How does the IKE Phase two use DH keys from phase one?
It uses the public key and a nonce to generate a common private key
How do you get FTG to act as a IKE mode config client
Enable mode config
set remote gateway to Static IP or Dynamic DNS
How do you get FTG to act as a IKE mode config server
Enable mode config
set remote gateway to Dialup user
What are the three types of options for configuring a remote gateway IPSec VPN?
Dial up user
Static IP
Dynamic User
When do you use the Dial up user remote gateway?
When the remote client or gateway IP Address is not known, Can be for VPN Client or remote gateway
When do you use Static IP or Dynamic DNS for IPSec Remote Gateway
When you know the IP address of the remote peer.
Can both gateways be configured as dialup users?
No, one has to be a server.
What does mode config on FGT causes to do?
FTG, acting as a dial-up server, pushes network settings to dial-up clients
Does mode config need to be enabled on both peers for IPSec?
Yes
Does ESP support NAT be default?
No, it does not use port numbers to track different tunnels.
What happens when NAT-T detects NAT?
Both ESP and IKE use UDP port 4500
What does NAT traversal set to forced do?
It will always use UDP port 4500 even if there is no NAT.
What does mode config do when enabled?
Assigns an IP address, netmask, and DNS server to the client
What is DPD
Dead peer detection
What are the three DPD modes
On Demand, On Idle and disabled
What DPD On Demand Mode?
FTG sends a DPD probes if it detects there is only outbound traffic and no inbound. (default mode)
What is DPD On Idle mode?
DPD sent when no traffic on the the tunnel is observed. Resource intensive so use with few tunnels
What is DPD disabled mode
FTG only replies to DPD packets but does not send them.
Which IKE mode is considered more secure and why?
Main mode, because the pre-shared key hash is exchanged encrypted
What IKE mode is considered faster?
Aggressive, it only uses three packets.
Can IKE Main mode support peer ID check?
no, Aggressive mode should be used as it sends peer ID in first packet.
IPSec Phase 1 proposal, what is the default key lifetime?
86400
What must be negotiated in IPSec phase 1?
Encryption, Authentication, DH Group.
When you use XAUTH how do you select which user group to use>
- Inherit from policy: users are pulled from the match IPSec policy.
- Choose, specify the user group
What is Perfect Forward Secrecy?
FTG uses DH to generate new keys each time phase 2 expires.
What is the encryption domain
It’s interesting traffic, that you want to protect with the tunnel and is determined by phase 2 tunnel.
What types of Phase 2 selectors are there>
Local Address and Remote Address
Protocol number
Local port and remote port
Do you need to configure an Phase 2 proposal for each selector?
yes, one or more proprosal
Does CHACHA20POLY1305 support NPU offload?
No
True or false 3DES is not much more resource intensive setting then DES or AES
False. it is more intensive.
What is enable relay detection for IPSec?
Detects replay attacks
Do you have to have match lifetime thresholds for a tunnel to come up?
no, FTG will use the lower threshold.
What does auto-negotiate prevent?
The tunnel from going down to renegotiate the SA
T or F: Auto-negotiate brings the tunnel up and stays up even with no interesting traffic
True
What are the two types of IPsec VPNs>
Route based
Policy based
What is a route-based IPSec VPN
A virtual interface for each VPN is created.
What other types of VPN use if you use route-based IPsec VPNs?
L2TP-over-IPsec
GRE-over-IPsec
Dynamic routing protocols
Should you enable DPD in a redundant VPN
YES
