VPN / IPSEC

Question 1

GRE

Answer 1

Generic Routing Encapsulation: tunnel between two endpoints

• encapsulates traffic inside of ip
• no encryption! –> use VPN

Question 2

IPSec

Answer 2

Internet Protocol Security: CIA + anti-replay for L3

- encryption and packet signing

Question 3

AH

Answer 3

Authentication Header: hash of the packet and a shared key –> provides authentication

Question 4

DMVPN

Answer 4

Dynamic Multipoint VPN:

• dynamic mesh, built on-demand using mGRE (multipoint Generic Router Encapsulation)

Question 5

anti-replay in IPSec

Answer 5

checks sequence numbers on all packets prior to transmission

Question 6

5 IPSec steps

Answer 6

1. key exchange request
2. IKE phase 1
3. IKE phase 2
4. Data transfer
5. Tunnel termination

Question 7

IKE 2 modes:

Answer 7

Internet Key Exchange

main mode: 3 two-way exchanges between the peers (algorithms, DH to generate shared secret key, authentication)

aggressive mode: way faster but less secure –> everything is suggested by the receiver

Question 8

SA

Answer 8

Security Association : negotiated in IKE phase 1, used for ISAKMP

includes authentication method, encryption method, DH groups, expiration time, shared secret key

Question 9

IKE phase 2

Answer 9

negociate SA to set up the IPSec Tunnel

uses Quick Mode to negotiate shared IPsec policy

Question 10

VPN HEADEND

Answer 10

VPN concentrator used to terminate IPSEC vpn tunnels within a router or other device