NetSec_8_VPNs Practical

Question 1

ACL Syntax for IPsec Traffic (3)

Answer 1

access-list acl# permit udp source_ip wildcard destination_ip wildcard eq isakmp

Permits ISAKMP traffic.

access-list acl# permit esp source_ip wildcard destination_ip wildcard

Permits ESP traffic.

access-list acl# permit ahp source_ip wildcard destination_ip wildcard

Permits AH traffic

Question 2

Configuration Tasks for IPsec VPN (5)

Answer 2

1. Configure the ISAKMP policy for IKE Phase 1
2. Configure the IPsec Policy for IKE Phase 2
3. Configure a Crypto Map for the IPsec Policy.
4. Apply the IPsec Policy
5. Verify the IPsec Tunnel is operational.

Question 3

Configuring ISAKMP Policy for Phase 1 (2)

Answer 3

crypto isakmp policy priority_value // Priority 1 to 10000

Lowest priority value has the highest priority.

Question 4

HAGLE (3)

Answer 4

• Mnemonic to remember the five SA’s to configure for Phase 1.
• Refers to ISAKMP Config Commands
  1. Hash
  2. Authenticate
  3. Group (Diffie-Helman Group)
  4. Lifetime
  5. Encryption.

Question 5

Hash ISAKMP Config Command with Options (2)

Answer 5

hash { sha | md5 } // Sets hash to SHA-1 or MD5

no hash // Resets hash command.

Question 6

Authenticate ISAKMP Config Command with Options. (4)

Answer 6

authentication { rsa-sig | rsa-encr | pre-share }

rsa-sig // RSA Signatures as authentication method

rsa-encr // RSA Encrypted nonces as authentication method.

pre-share // Pre-Shared Keys as authentication method.

Question 7

Group ISAKMP Config Command (3)

Answer 7

group DiffieHelman_GroupNumber

DH Groups: 1, 2, 5, 14, 15, 16, 19, 20, 21, 24

Lowest = Least Secure ; Highest = Most Secure.

Question 8

Lifetime ISAKMP Config Command (2)

Answer 8

lifetime seconds // Sets lifetime of key exchange security association.

60 sec (min.) to 86400 sec. (max ; 1 day)

Question 9

Encryption ISAKMP Config Command with Options (5)

Answer 9

encryption { des | 3des | aes bits | seal }

des // 56 bit keys

3des // 56 bit keys (3 times)

aes // 128, 192, or 256 bit keys

seal // 160 bit keys streaming cipher

Question 10

Configuring Pre-Shared Key (Phase 2) (2)

Answer 10

crypto isakmp key keystring address peer_ip_address

crypto isakmp key keystring hostname peer_hostname

Question 11

Command Used to Display the Status of an IKE Phase 1 Tunnel.

Answer 11

show crypto isakmp sa

Question 12

Transform Set Definition

Answer 12

Encryption and hashing algorithms to be used to transform the data during the VPN communication, negotiated during Phase 2.

Question 13

Configuring IPsec Transform Set (2)

Answer 13

crypto ipsec transform-set transform_set_tag upToThreeTransformKeywords

Can only have 1 AH transform per transform set.

Question 14

Syntax to Configure Crypto Map (5)

Answer 14

crypto map map_name seq_number {ipsec-isakmp | ipsec-manual }

map name = name of crypto map

seq_number = Sequence number for crypto map.

ipsec-isakmp // Indicates IKE will be used.

ipsec-manual // IKE will not be used.

Question 15

Steps to Complete Crypto Map Configuration (5)

Answer 15

1. match address acl_number // Binds ACL for interesting traffic to crypto map.
2. set transform-set cryptoMapName
3. set peer peer_IP_address
4. set pfs DH_Group# // Group number value set as group1, group2, etc
5. set security-association lifetime seconds time_in_Seconds. // Sets the tunnel lifetime.

Question 16

Command to Display Current Crypto Maps

Answer 16

show crypto map

Question 17

Applying Crypto Map to Interface (2)

Answer 17

interface outbound_interface_ID

crypto map crypto_map_name

Question 18

Extended Ping (3)

Answer 18

ping ip destination_ip source designated_source_ip

Sends ping to destination IP address as if it was originating from the sourfce IP address.

Used to send interesting traffic to trigger ISAKMP ACL

Question 19

Command To Display Infor About IPSEC Tunnels.

Answer 19

show crypto ipsec sa