Virtual Private Network (VPN)

Question 1

Protocols use in VPN (7)

Answer 1

Point-to-Point Tunneling (PPTP)
Layer 2 Forwarding (L2F) Protocol
Layer 2 Tunneling Protocol (L2TP)
Generic Routing Encapsulation (GRE) Protocol
Multiprotocol Label Switching (MPLS) Protocol
Internet Security Protocol (IPSec)
Secure Socket Layer (SSL)

Question 2

VPN Implementation are categorized in Two Groups

Answer 2

• Site-to-Site VPN (enable two sites to establish VPN tunnels between two or more network infrastructure devices in different sites so that they can communicate over a shared medium as the internet
• Remote-Access VPN (enable user to work from remote locations)

Question 3

Uses the internet key exchange (IKE) Protocol to negotiate and establish secured site-to-site remote access VPN tunnels.

Answer 3

IPSec

Question 4

Is a framework provided by the internet security association and key management protocol (ISAKAMP)

Answer 4

IKE (Internet Key Exchange)

Question 5

Attributes in IKEv1 Phase 1

Answer 5

• encryption algorithms
• hashing algorithms
• diffie-hellman groups
• authentication method
• vendor specific attributes

Question 6

Traditional Encryption use in IKE

Answer 6

• Data Encryption Standard (DES)
• Triple DES (3DES)
• Advance Encryption Standard (AES)
• AES 192:
• AES 256

Question 7

Hashing Algorithms sample

Answer 7

Secure Hash algorithms (SHA)

Message digest algorithm 5 (MD5)

Question 8

IPSEc uses two different protocols to encapsulate data over a VPN Tunnel

Answer 8

Encapsulate security payload (ESP) : IP protocol 50
Authentication Header (AH) : IP Protocol 51

Question 9

IPSec can use two modes with either AH or ESP:

Answer 9

Transport mode: protect upper-layer protocols such as User Datagram Protocol (UDP) and TCP
Tunnel Mode : protect the entire IP Packet

Question 10

This features allows VPN peers to dynamically discover wheter an address translation device exists betweeen them. If they detect NAT/PAT device, they use UDP Port 4500 to encapsulate the date packets, subsequently allowing the NAT device to successfully translate and forward the packets

Answer 10

NAT Traversal (NAT-T)

Question 11

Difference with IKEv1 and IKEv2

Answer 11

• IKEv1 Phase 1 has two possible exchanges main mode and aggressive mode. IKEv2 IKE_SA. has a single exchange of message pair
• IKEv2 has a simple exchange of two message pairs for the CHILD_SA. IKEv1 in phase 2 has at least three message pairs.
• IKEV2 supports the use of next-generation encryption protocols and anti-DOS capabilities
• IKEv1 does not allow the use of Extensible Authenticaiton Protocol (EAP). EAP allows IKEv2 to provide a solution for remote-access VPN as well..

Question 12

Remote-Access VPN Provides this properties if HTTPS(HTTP over SSL/TLS) is used

Answer 12

• Secure communication using cryptographic algorithms (https/tls offers confidentiality, integrity and authentication)
• Ubitquity- make it possible for VPN users to access corporate resources remotely from anywhere using any PC without having to pre-install a remote access VPN client
• low management cost- the clientless type of remote access VPN free of deployment cost and free of maintenance problems
• effective operation with a firewall and nat

Question 13

Is a solution designed to secure connections from mobile devices. This

Answer 13

Cisco AnyConnect Secure Mobility

Question 14

Cisco IOS and Cisco iOS-XE tunnels interface support different types of encapsulation (or modes)

Answer 14

• Generic Routing Encapsulation (GRE) protocol
• IP-in-IP
• Distance Vector Multicast Routing Protocol (DVMRP)
• IPv6-in-IPv4

Question 15

Is defined by RFC 2784 and extend by RFC 2890. Provides a simple mechanism to encapsulate packets of any protocol (the payload packets) over any other protocol(the delivery protocol) between two endpoints.

Answer 15

Generic Routing Protocol (GRE)

Question 16

this command was introduced to simplify IPSEC and GRE configurations.

Answer 16

Tunnel Mode

Question 17

command to configure Multiple GRE(mGRE) interface

Answer 17

tunnel mode gre multipoint

Question 18

Type of GRE Encapsulation where a single static GRE tunnel interface is used as the endpoint for multiple site-to-site tunnels.

Answer 18

Multipoint GRE (mGRE)

Question 19

Is a technology created by Cisco to reduced the hub router configuration.. When deploying this, you configure a single mGRE tunnel interface, a single IPSEC profile and no crypto access-list on the hub router.

Answer 19

Dynamic Multipoint VPN (DMVPN)

Question 20

Provides a collection of features and capabilities to protect IP multicast group traffic or unicast traffic over a private WAN

Answer 20

Group Encrypted Transport VPN (GETVPN)

Question 21

GETVPN relies on the following building blocks to provide the required functionality

Answer 21

• GDOI (RFC 6407)
• Key Servers (KSs)
• Cooperative (COOPS) KSs
• Group Members (GMs)
• IP tunnel header preservation
• Group Security association
• Rekey mechanisim
• Time-based anti-reply (TBAR)
• G-IKEv2
• IP-D3P

Question 22

Minimum Requirements of a basic GETVPN key server configuration

Answer 22

• IKE Policy
• RSA key for re-keying
• IPSEC phase 2 policies
• Traffic classification

Question 23

Minimum Requirements of a basic GETVPN group member configuration

Answer 23

IKE Policy
GDOI crypto map
Crypto map applied to an interface

Question 24

Is a framework to configure IPSEC VPN on Cisco IOS devices. IT was created to simplify the deployment of VPN solutions of all type

Answer 24

FlexVPN

Question 25

Benefits of FlexVPN

Answer 25

• can interoperate with Non-CISCO IKEv2 implementations
• Support different VPN (point-to-point, remote-access, hub-and-spoke, dynamic mesh
• combines all these different VPN technologies using one command-line interface (CLI) set of configurations
• Support for dynamic overlay routing
• Integration with CISCO IOS AAA
• Support GRE and native IPSEC encapsulations
• Support IPV4 and IPv6 overlay and underlay

Question 26

Show commands for troubleshooting IPSec VPN in Cisco Routers

Answer 26

• show cyrpto isakmp sa
• show crypto ikev2 sa
• show crypto ikev2 sa detailed
• show crypto ikev2 sessions

Question 27

Show commands to display IKEv2 statistic

Answer 27

• show crypto ikev2 stats
• show crypto ikev2 stats exchange
• show crypto ikev2 stats ext-service
• show crypto ikev2 stats priority-queue
• show crypto ikev2 stats timeout

Question 28

Debug commands to troubleshoot IPSec implementations

Answer 28

• debug crypto isakmp
• debug crypto ikev2
• debug crypto ikev2 internal
• debug radius authentication
• debug crypto ipsec

Question 29

Commands to obtain and view error events or exceptions in IKEV2 negotiations

Answer 29

show monitor event-trace crypto ikev2

Question 30

Configuring site-to-site on Cisco ASA firewalls

Answer 30

1. Enable isakmp
2. create isakmp policy
3. set the tunnel type
4. define the ipsec policy
5. configure the crypto map
6. configure traffic filtering (optional)
7. bypass NAt
8. enable perfect forward secrecy

Question 31

command to enabling IKEv2 in the Cisco ASA site-to-site VPN config

Answer 31

crypto ikev2 enable outside

Question 32

command in creating isakmp policy in Cisco ASA site-to-site VPN config

Answer 32

crypto ikev2 policy1

• encryption aes-256
• integrity sha
• group 5
• prf sha
• lifetime seconds 86400

Question 33

commands in setting up tunnel group in Cisco ASA site-to-site VPN config

Answer 33

tunnel-group x.x.x.x type ipsec-121
tunnel-group x.x.x.x ipsec-attributes
>ikev2 remote-authentication pre-shared-key secret
>ikev2 local-authentication pre-shared-key secret

Question 34

commands in configuring IPSec policy in the Cisco ASA for site-to-site VPN

Answer 34

crypto ipsec ikev2 ipsec-proposal mypolicy
>protocol esp encryption aes-256
>protocol esp integrity sha-512

Question 35

Configuring crypto-map in Cisco ASA for site-to-site VPN

Answer 35

configure terminal
access-list outside-cryptomap line 1 remark ACL to encrypt traffic from site-a to site-b
access list outside-cryptomap line 2 extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
crypto map outside_map 1 match address outside-cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set ikev2 ipsec-proposal mypolicy
crypto map outside_map 1 interface outside

Question 36

commands that is enabled by default and allow cisco ASA to bypass the ACL check for all the VPN tunnels, including remote-access IPSec Tunnels and SSL VPN tunnels

Answer 36

sysopt connection permit-vpn

Question 37

command in CISCO asa for NAT Exempt Policy

Answer 37

object network 192.168-Net
>subnet 192.168.10.0 255.255.255.0
object network 10.10-Net
>subnet 10.10.10.0 255.255.255.0
nat (inside,outside) source static 192.168-Net 10.10-Net destination static 192.168-Net 10.10-Net

Question 38

Is a cryptographic technique where newly generated keys are unrelated to any previously generated key

Answer 38

Perfect Forward Secrecy (FPS)

Question 39

command in cisco ASA in enabling FPS

Answer 39

crypto map outside_map 10 set pfs group5

Question 40

Additional attributes in Cisco Site-to-SIte VPN configuration

Answer 40

OSPF updates over IPSec
Reverse route injection
NAT traversal
Tunnel Default Gateway
Management Access
Fragmentation policies

Question 41

Steps in configuring IPSec Remote Access VPN in Cisco ASA

Answer 41

1. enable isakmp (IKEV1)
2. create IKEv1 (isakmp) policy
3. set up tunnel group policies
4. define the IPSec policy
5. configure user authentication
6. assign an ip address
7. create a crypto map
8. configure traffic filtering (optional)
9. bypass NAT (optional)
10. set up split tunneling (optional)
    11 define DNs and WINS address (optional)

Question 42

Cisco ASA supports the following SSL VPN Modes

Answer 42

• Clientless (remote client need only a SSL-enabled broswer)
• Thin Client (remote clients need to install small java applet)
• Full tunnel (remote client need to install SSL VPN Client)

Question 43

Cisco ASA remote-access design considerations

Answer 43

• analyze current environment and determine which features
• determine how you user connect to corporate network (hotel kiosks, computer in public)
• determine the size of SSLVPN deployment (concurrent users)
• load balancing
• make sure you have the appropriate licenses

Question 44

The infrastructure requirements for SSL VPN includes but not limited to

Answer 44

• ASA placement (if behind another firewall make sure to open the ports)
• User accounts (active directory, radius,RSA, secureID, ldap)
• Administrative privileges: required for all connections with port forwarding if you want to use host mapping

Question 45

Pre-SSL VPN Configurations steps

Answer 45

• enroll digital certificates
• set up tunnel and group policies
• set up user authentication

Question 46

command in cisco asa to import a CA certificate manually

Answer 46

crypto ca trustpoint sslcertexample
>enrollment terminal
crypto ca authenticate sslcertexample

Question 47

command in cisco asa to manually enroll a certificate

Answer 47

configure terminal
>domain-name domain.org
>crypto key generate rsa label domaincert
>crypto ca trustpoint domaincert
>>keypair domaincertrsa
>>id-usage ssl-ipsec
>>no fqdn
>>subject-name CN=omar-asa
>>enrollment terminal
>>crypto ca encroll domaincert

Question 48

command to import Identity certificate

Answer 48

crypto sa import domaincert certificate

Question 49

command to activating the Identity Certificate

Answer 49

ssl trust-point domaincert outside

Question 50

Cisco ASA uses an inheritance model when it pushes network and security policies to the end-user sessions. You can configure policies at the following three policy locations

Answer 50

Under the default group policy (DfltGrpPolicy)
Under the user’s assigned group policy
Under the specific users policy

Question 51

Cisco ASA supports a number of authentication mechanism and databases

Answer 51

RADIUS
NT Domain
Kerberos
SDI
LDAP
Digital certificates
SMart Cards
SAML
Local databases

Question 52

UDP ports uses by CISCO ASA as defaults for authentication and accounting

Answer 52

1645 and 1646

Question 53

Most Radius servers uses this assigned ports for authentication and accounting (official IANA)

Answer 53

1812 and 1813

Question 54

command in ASA to configure RADIUS server as authentication server

Answer 54

aaa-server Radius Protocol radius
aaa-server Radius (inside) host 192.168.10.123
>key thisisthekey

Question 55

Steps in enabling Clientless SSL VPN

Answer 55

1. enable clientless SSL VPN on an interface
2. configure SSL VPN Portal customization
3. configure bookmarks
4. configure WebTypes ACLs
5. configure application access
6. configure client-server plug-ins

Question 56

command on Cisco ASA to enable SSL VPN on the outside interface

Answer 56

webvpn

>enable outside

Question 57

Cisco ASA methods that allows application access

Answer 57

• smart tunnel (works on application layer and establishing Winsock 2 connections)
• port forwarding

Question 58

Cisco AnyConnect Secure mobility client VPN can be installed on a users computer using one of these methods

Answer 58

• Web-enabled mode (download thru browser)

- standalone mode (download from file server or cisco.com)

Question 59

Configuring of Cisco AnyConnect Secure Mobility client VPN is a two step process

Answer 59

1. Load the Cisco Anyconnect Secure Mobility client package

2. Define Cisco Anyconnect Secure Mobility Client VPN attributes

Question 60

Before Cisco AnyConnect Secure Mobility Client SSL VPN tunnel is functional, you have to configure the following two required actions

Answer 60

1. Enabling Cisco AnyConnect Secure mobility connections

2. Address pool definition

Question 61

Optional attributes to enhance the functionality of the Cisco AnyConnect Secure Mobility client

Answer 61

Split tunneling
DNS and WINS assignment
Keeping SSL VPN client installed
DTLS
Configuring traffic filters
Configure a tunnel group

Question 62

Cisco ASA support 3 different method to assign IP address back to the client

Answer 62

• local address pool
• dhcp server
• radius server

Question 63

With this Cisco ASA notifies Cisco Anyconnect Clients about secured subnets. The VPN clients, using the secured routes, encrypts only those packets that are destined for the network behind the security appliance

Answer 63

Split tunneling

Question 64

Steps in configuring SSL and IPSEC-IKEv2 remote access VPN with the Remote Access VPN Policy wizard

Answer 64

1. Navigate to Devices>VPN>Remote Access
2. Enter a name. Select VPN Protocols (SSL or IPSec-IKEv2)
3. Configure connections profile
4. Set AAA method (AAA,certificates or both)
5. Select Radius server or different for authorization and accounting
6. Configure different attributes in the group policy (authorization profile, ip address, any connect settings, vlan mapping and user sessions)
7. Add an address pool
8. create an IP Pool
9. Select the anyconnect image that VPN Users will use to connect to remote access.
10. Select network interface and identity certificate
11. view the summary of the remote access vpn policy configurations

Question 65

The only supported client on endpoint devices for Remote vpn connectivity to Cisco FTD devices

Answer 65

AnyConnect

Question 66

debug command use to troubleshoot remote access vpn connections on FTD devices.

Answer 66

debug webvpn conditions {group-name, p-ipaddress ip address, subnet subnet_mask, reset , username

ex. debug webvpn condition user hannah
show webvpn debug-condition

Question 67

Steps in configuring Site-to-Site VPN in FTD devices

Answer 67

1. Navigate to Devices>VPN>Site-to-Site VPN
2. create new vpn topology by clicking firepower device
3. enter a unique name for the new topology and specify a topology type
4. specify the node pairs
5. select the devices you want to configure to establish site-to-site VPN tunnel, their associated interfaces and the IP Address.

Question 68

Example of DMVPN Hub Configuration

Answer 68

!The ISAKMP policy
crypto isakmp policy 1
encryption aes
authentication pre-share
group 14
! A dynamic ISAKMP key and IPsec profile
crypto isakmp key supersecretkey address 0.0.0.0
crypto ipsec transform-set trans2 esp-aes esp-sha-hmac
mode transport
! crypto ipsec profile my_hub_vpn_profile
set transform-set trans2
!!
The tunnel interface with NHRP
Interface Tunnel0
ip address 10.0.0.1 255.255.255.0
ip nhrp authentication anothersupersecretkey
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 300
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
! This line must match on all nodes that want to use this mGRE tunnel.
tunnel key 100000
tunnel protection ipsec profile my_hub_vpn_profile
! interface GigabitEthernet0/0
ip address 172.16.0.1 255.255.255.0
! interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.0
! router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.0.0 0.0.0.255

Question 69

A spoke configuration sample of DMVPN

Answer 69

crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key supersecretkey address 0.0.0.0
! crypto ipsec transform-set trans2 esp-aes esp-sha-hmac
mode transport
! crypto ipsec profile my_spoke_vpn_profile
set transform-set trans2
! interface Tunnel0
ip address 10.0.0.2 255.255.255.0
ip nhrp authentication anothersupersecretkey
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp map multicast 172.17.0.1
ip nhrp network-id 99
ip nhrp holdtime 300
! Configures the hub router as the NHRP next-hop server.
ip nhrp nhs 10.0.0.1
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile my_spoke_vpn_profile
! interface GigabitEthernet0/0
ip address dhcp hostname Spoke1
! interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
! router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255

Question 70

Example of FlexVPN Server Configuration

Answer 70

! AAA configuration. R1 is configured with AAA authorization to use
! the RADIUS server (10.1.2.3) to retrieve the IKEv2 pre-shared keys.
aaa new-model
aaa group server radius radius_group1
server name radius_server1
! aaa authorization network aaa_psk_list group radius_group1
! radius server radius_server1
address ipv4 10.1.2.3 auth-port 1645 acct-port 1646
key radius_server1_key
! The IKEv2 name mangler is configured to derive the AAA username from
! the hostname portion of the peer IKEv2 identity of type FQDN.
! When each branch router is configured with a unique local FQDN identity,
! the name mangler will yield a unique AAA username for the pre-shared key
! lookup on the RADIUS server.
! The IKEv2 profile is configured to match all the branch routers, based on
! the domain portion (secretcorp.org) of the peer FQDN identity.
! The profile is configured to use an AAA-based keyring that would retrieve
! the pre-shared keys, using AAA authorization from the RADIUS
! server specified in the referenced AAA method list.
! The referenced IKEv2 name mangler will yield a unique AAA username for
! pre-shared key lookup on the RADIUS server that is derived from the
! username portion the peer FQDN identity.
crypto ikev2 name-mangler aaa_psk_name_mangler
fqdn hostname
! crypto ikev2 profile default
match identity remote fqdn domain example.com
identity local fqdn hq.example.com
authentication local pre-share
authentication remote pre-share
keyring aaa aaa_psk_list name-mangler aaa_psk_name_mangler

Question 71

Example of FlexVPN Client Configuration

Answer 71

crypto ikev2 keyring local_keyring
peer hub-router
address 10.1.1.1
pre-shared-key branch1-hub-key
crypto ikev2 profile default
match identity remote fqdn hq.secretcorp.org
identity local fqdn rtp-branch.secretcorp.org
authentication local pre-share
authentication remote pre-share
keyring local local_keyring

Question 72

Feature that allows logging information to be stored in binary files so that you can later retrieve them without adding any more stress on the infrastructure device

Answer 72

Event-trace monitoring