Site to site vpn

Question 1

What are the two main protocols of IPSec?

Answer 1

Authentication header (ah)
Encapsulation security payload (ESP)

Question 2

Layer protocol is IPSec?

Answer 2

Layer 3 protocol suite to secure re data in transit via VPN

Question 3

What is the Athenticating header (AH)/ what does it provide?

Answer 3

Provides integrity, authentication and anti-replay

- Does not provide confidentiality

Question 4

what does Encapsulating Security Payload (ESP)provide?

Where can it work?

Answer 4

Provides CIA+A •Which is why ESP is most often used •Can work in Transport mode - host to host
-Can work in Tunnel mode - network to network

Question 5

What is Internet Security Association and Key Management Protocol (ISAKMP)?

Answer 5

Internet Security Association and Key Management Protocol (ISAKMP)

• Protocol for establishing Security Associations (SAs)
• Defines process for peer authentication

Question 6

What is Security Associations (SAs)?

Answer 6

Set of agreed upon parameters parameters between peers to ensure communication security
-Unidirectional - one each direction between peers

Question 7

What are the two phases of Internet key exchange?

Answer 7

Phase 1 (IKEv1), IKE_SA (IKEv2) 
Phase 2 (IKEv1), CHILD_SA (IKEv2)

Question 8

The Internet Key Exhchange builds _______ between _______

Answer 8

Security Associations (SAs)
peers

Question 9

What are the two versions of IKE?

Answer 9

IKEv1 and IKEv2

Question 10

Phase 1/IKE_SA does what?

Answer 10

Establishes secure channel between peers •Manages channel - key renewal, etc. - like a control plan

Question 11

Phase 2/CHILD_SA does?

Answer 11

Establishes second secure channel •Encrypts, decrypts and transports data - like a data plane

Question 12

What are the IOS PSK VPN Configuration Steps?(6)

Answer 12

configure ISAKMP phase 1 policy
•Configure ISAKMP pre-shared key to target VPN IP •Configure traffic to allow through VPN
•Create access list referencing source and destination networks •Configure IPSec transform set
•Configure crypto map •Apply crypto map to outbound interface

Question 13

IKE Phase 2

Answer 13

• Child connection established right after Phase 1
• Negotiates connection type and encryption parameters •SA is formed and parameters stored in SA database
• SPI field in IPSec header points to SA to reference to ensure proper keys use

Question 14

IKE Phase 1

Answer 14

• Negotiates connection parameters
• Hash algorithm, encryption algorithm, Diffie-Hellman group, authentication method (shared key or RSA), connection lifetime •Diffie-Hellman exchange establishes shared symmetric key
• Peers authenticate

Question 15

What is transport mode

Answer 15

Host to host

Question 16

What is tunneling mode

Answer 16

Transmitting data between network to network

Question 17

What does isakmp do?

Answer 17

Negotiation of the tunnel (ime phase 1 and 2)

Transmits data over the tunnel

Question 18

Duffie helman algorithm is used to

Answer 18

Establish a secret key between two vpn endpoints over insecure channel

Question 19

What is a hashing algorithm? And example?

Answer 19

It provides data integrity

Eg: MD5, SGA1

Question 20

Phase 1 of ike negotiates matching transform sets to protect ___________

Answer 20

IKE exchange

Question 21

Ike/ike2 provides a framework for ______ negotiation and ____ exchange

Answer 21

Policy negotiations and key exchange

Question 22

Esp provided an ecapsulation for ________ and ______ for user purposes

Answer 22

Encryption and authentication

Question 23

phase one of isakmp helps with ________

Answer 23

Management.

Negatiote a security association

Question 24

What is part of a policy set

Answer 24

Authenticatuon
dH 
Encryption
Hash
Key

Question 25

Phase 2. Goal is to create ________ ________

Answer 25

Security associations (protects user data)

Question 26

Ipsec SA is ______ directional

Answer 26

Uni directional

Out bound and inbound

Question 27

Iskamp sa is _________ directional

Answer 27

Bi directional