IPsec VPN

Question 1

What port does IKE use?

Answer 1

• UDP 500
• UDP 4500 with NAT-T

Question 2

What VPN topology has the simplest configuration?

Answer 2

Hub-and-Spoke

Question 3

What are some cases in which you wouldn’t want a Hub-and-Spoke VPN topology?

Answer 3

• If you want fault tolerance
• If you need direct communication between sites

Question 4

What is the likely cause if an IPsec tunnel is not coming up and you get a negotiation failure error?

Answer 4

IPsec configuration mismatch, verify phase 1 and 2 configurations between both peers

Question 5

What is the likely cause if an IPsec tunnel is unstable and you get an error saying DPD packet lost?

Answer 5

• ISP issue, check internet connection
• Enable NAT-Traversal

Question 6

What must be done in the firewall policy for an IPsec tunnel to come up?

Answer 6

Create a policy accepting traffic on the IPsec tunnel

Question 7

What setting determines whether a tunnel is used as primary or backup?

Answer 7

Routing

Question 8

What are the two modes IPsec can operate in?

Answer 8

• Transport
• Tunnel

Question 9

What authentication does IKEv1 support?

Answer 9

• XAuth
• PSK and certificate signature

Question 10

What authentication does IKEv2 support instead of XAuth?

Answer 10

EAP

Question 11

What is a reason to use mesh topology over hub-and-spoke?

Answer 11

• Hub-and-spoke branch offices must go through HQ is slower than a direct connection, especially if physically distant
• Mesh devices are directly connected and you can bypass HQ
• More fault tolerant

Question 12

What are some remote gateway types in VPNs?

Answer 12

• Dialup User
• Static IP Address
• Dynamic DNS

Question 13

When would you use Dialup User?

Answer 13

When the remote peer IP address is unknown

Question 14

What is IKE Mode Config?

Answer 14

• An alternative to DHCP over IPsec
• A server assigns network settings to clients over IKE messages

Question 15

What problem did NAT traversal solve?

Answer 15

• The ESP protocol has problems crossing devices that are performing NAT
• Solves the incompatibility between NAT and IPSec

Question 16

What are keepalive probes used for?

Answer 16

• Probes are sent frequently to keep the connection across the routers active
• Used in NAT-T

Question 17

What is the default mode of dead peer detection?

Answer 17

• On demand
• FortiGate sends DPD probes if there is only outbound traffic through the tunnel, but no inbound
• (Only outbound traffic could be indication of a network failure)

Question 18

What are the two authentication methods FortiGate supports in phase 1?

Answer 18

• Pre-shared Key
• Signature

Question 19

What are the two negotiation modes IKE supports?

Answer 19

• Main mode (more secure)
• Aggressive mode (faster)

Question 20

What are benefits of using route-based IPsec VPN over Policy-based?

Answer 20

• Can deploy variations of VPNs like L2TP and GREE
• Can enable dynamic routing protocols for scalability
• Leverage multiple connections to the same destination for redundancies
• Can configure routing and firewall policies for IPsec traffic

Question 21

What do you need to make your IPsec VPN deployment more resilient?

Answer 21

Provide a second ISP connection to your site and configure two IPsec VPNs

Question 22

What are some steps needed to configure a redundant VPN?

Answer 22

• Create one phase 1 and one phase 2 for each path; primary and backup
• Enable DPD on both ends
• Add at least one static route for each VPN, with the primary having a lower distance
• Configure firewall policies to allow traffic through both VPNs