What port does IKE use?
- UDP 500
- UDP 4500 with NAT-T
What VPN topology has the simplest configuration?
Hub-and-Spoke
What are some cases in which you wouldn’t want a Hub-and-Spoke VPN topology?
- If you want fault tolerance
- If you need direct communication between sites
What is the likely cause if an IPsec tunnel is not coming up and you get a negotiation failure error?
IPsec configuration mismatch, verify phase 1 and 2 configurations between both peers
What is the likely cause if an IPsec tunnel is unstable and you get an error saying DPD packet lost?
- ISP issue, check internet connection
- Enable NAT-Traversal
What must be done in the firewall policy for an IPsec tunnel to come up?
Create a policy accepting traffic on the IPsec tunnel
What setting determines whether a tunnel is used as primary or backup?
Routing
What are the two modes IPsec can operate in?
- Transport
- Tunnel
What authentication does IKEv1 support?
- XAuth
- PSK and certificate signature
What authentication does IKEv2 support instead of XAuth?
EAP
What is a reason to use mesh topology over hub-and-spoke?
- Hub-and-spoke branch offices must go through HQ is slower than a direct connection, especially if physically distant
- Mesh devices are directly connected and you can bypass HQ
- More fault tolerant
What are some remote gateway types in VPNs?
- Dialup User
- Static IP Address
- Dynamic DNS
When would you use Dialup User?
When the remote peer IP address is unknown
What is IKE Mode Config?
- An alternative to DHCP over IPsec
- A server assigns network settings to clients over IKE messages
What problem did NAT traversal solve?
- The ESP protocol has problems crossing devices that are performing NAT
- Solves the incompatibility between NAT and IPSec
What are keepalive probes used for?
- Probes are sent frequently to keep the connection across the routers active
- Used in NAT-T
What is the default mode of dead peer detection?
- On demand
- FortiGate sends DPD probes if there is only outbound traffic through the tunnel, but no inbound
- (Only outbound traffic could be indication of a network failure)
What are the two authentication methods FortiGate supports in phase 1?
- Pre-shared Key
- Signature
What are the two negotiation modes IKE supports?
- Main mode (more secure)
- Aggressive mode (faster)
What are benefits of using route-based IPsec VPN over Policy-based?
- Can deploy variations of VPNs like L2TP and GREE
- Can enable dynamic routing protocols for scalability
- Leverage multiple connections to the same destination for redundancies
- Can configure routing and firewall policies for IPsec traffic
What do you need to make your IPsec VPN deployment more resilient?
Provide a second ISP connection to your site and configure two IPsec VPNs
What are some steps needed to configure a redundant VPN?
- Create one phase 1 and one phase 2 for each path; primary and backup
- Enable DPD on both ends
- Add at least one static route for each VPN, with the primary having a lower distance
- Configure firewall policies to allow traffic through both VPNs
