Module 8: VPN and IPsec Concepts

Question 1

True or False? A site-to-site VPN must be statically set up.

Answer 1

True

Question 2

Which two technologies provide enterprise-managed VPN solutions?

Answer 2

Site-to-site VPN and Remote access VPN

Question 3

Which two technologies provide service provider managed VPN solutions?

Answer 3

Layer 2 MPLS VPN and Layer 3 MPLS VPN

Question 4

What algorithm is used with IPsec to provide data confidentiality?

Answer 4

AES

Question 5

What algorithms are used with IPsec to provide data integrity?

Answer 5

SHA and MD5

Question 6

What algorithm is used with IPsec to provide authentication?

Answer 6

RSA

Question 7

What algorithm is used with IPsec to provide key exchange?

Answer 7

Diffie-Hellman (DH)

Question 8

Which protocol creates a virtual point-to-point connection to tunnel unencrypted traffic between Cisco routers from a variety of protocols?

Answer 8

Generic Routing Encapsulation (GRE)

Question 9

What is the function of the Hashed Message Authentication Code (HMAC) algorithm in setting up an IPsec VPN?

Answer 9

Guarantees message integrity

Question 10

Which IPsec security function provides assurance that the data received via a VPN has not been modified in transit?

Answer 10

Integrity

Question 11

Which statement describes a VPN?

Answer 11

VPNs use virtual connections to create a private network through a public network.

Question 12

How is “tunnelling” accomplished in a VPN?

Answer 12

New headers from one or more VPN protocols encapsulate the original packets.

Question 13

Which type of VPN involves a nonsecure tunnelling protocol being encapsulated by IPsec?

Answer 13

GRE over IPsec

Question 14

Which two types of VPNs are examples of enterprise-managed remote access VPNs?

Answer 14

Client-based IPsec VPNs and clientless SSL VPNs

Question 15

In a static NAT configuration, what NAT address type will Internet hosts use to reach an internal web server?

Answer 15

Outside Local address of the web server

Question 16

Which type of VPN is used to connect a mobile user?

Answer 16

Remote-access

Question 17

Which VPN benefit uses advanced encryption and authentication protocols to protect data from unauthorized access?

Answer 17

Security

Question 18

Which VPN benefit allows an enterprise to easily add more users to the network?

Answer 18

Scalability

Question 19

Which VPN benefit allows an enterprise to increase the bandwidth for remote sites without necessarily adding more equipment or WAN links?

Answer 19

Cost savings

Question 20

Which VPN solutions are typically managed by an enterprise?

Answer 20

IPsec, SSL, DMVPN

Question 21

How does SSL/TLS authenticate peers?

Answer 21

Public Key Infrastructure (PKI) and digital certificates

Question 22

True or False?
SSL/TLS VPNs are more complex to set up than IPsec?

Answer 22

False.

Question 23

True or False?
IPsec is less secure than SSL/TLS VPN

Answer 23

False.

Question 24

True or False?
IPsec is the preferred method of configuring a VPN over SSL/TLS

Answer 24

False, both options are valid.

SSL/TLS VPNs are less complex and have more extensive connection options as they work with any device with a web browser.

IPsec is more secure and and supports all IP-based applications, not just

Question 25

Site-to-Site VPNs use what terminating devices?

Answer 25

VPN Gateways

Question 26

Site-to-Site VPNs are typically created and secured using what technology?

Answer 26

IPsec

Question 27

When might Dynamic Multipoint VPN (DMVPN) might be useful?

Answer 27

If you have more than a few sites that need securely connecting, such as in a large enterprise.

Question 28

What type of topology does DMVPN use for configuration?

Answer 28

Hub-and-Spoke

Question 29

True or False?
Once DMVPN connections are made between sites, all traffic must be routed through the hub site?

Answer 29

False.
Once configuration is established, DMVPN allows for a full-mesh between all sites.

Question 30

IPsec VTI maps to what type of interface?

Answer 30

A virtual interface, rather than static physical interfaces.

Question 31

True or False?
IPsec VTI can send both unicast and multicast encrypted traffic, therefore supporting routing protocols automatically.

Answer 31

True.
It does so without the need to configure GRE tunnels.

Question 32

True or False?
IPsec VTI can only be configured between sites.

Answer 32

False.
It can also be configured in a Hub-and-Spoke tpology.

Question 33

What two types of MPLS VPNs are available?

Answer 33

Layer 2, where customer routers effectively belong to the same multiaccess network.

Layer 3, where the service provider establishes routing between the customer’s routers and the provider’s router.

Question 34

What type of VPN enables an enterprise to rapidly scale secure access across the organization?

Answer 34

DMVPN

Question 35

What type of VPN enables an enterprise to emulate an Ethernet multiaccess LAN with remote sites?

Answer 35

MPLS VPN

Question 36

What type of protocol is GRE?

Answer 36

Carrier protocol

Question 37

What type of VPN only requires a web browser on the host?

Answer 37

SSL/TLS VPNs

Question 38

What type of VPN can be established with a web browser using HTTPS?

Answer 38

Clientless VPN

Question 39

In IPsec, what provides authentication for the data origin, integrity, and protection against replay attacks?

Answer 39

Authentication Header (AH)

Question 40

In IPsec, what provides encryption for data confidentiality and authentication?

Answer 40

Encapsulating Security Payload (ESP)

Question 41

In IPsec, what provides negotiation of security associations and keys?

Answer 41

• ISAKMP (Internet Security Association and Key Management Protocol) sets the ‘blueprint’ for the authentication
• IKE (Internet Key Exchange) implements the blueprint
• DH (Diffie-Hellman) performs the secure key exchange