Which two statements describe the IPsec protocol framework? (Choose two.)
a) AH uses IP protocol 51.
b) AH provides integrity and authentication.
c) AH provides encryption and integrity.
d) ESP uses UDP protocol 51.
e) AH provides both authentication and encryption.
Answer:
a) AH uses IP protocol 51.
b) AH provides integrity and authentication.
Explanation:
AH ensures authentication and integrity, while ESP handles encryption. AH is protocol 51; ESP is protocol 50.
Cisco Explanation:
The two primary protocols used with IPsec are AH (Authentication Header) and ESP (Encapsulating Security Payload). AH is protocol number 51 and provides data authentication and integrity for IP packets exchanged between peers. ESP, protocol number 50, performs packet encryption.
What technology is used to negotiate security associations and calculate shared keys for an IPsec VPN tunnel?
a) PSK
b) SHA
c) 3DES
d) IKE
Answer:
d) IKE
Explanation:
IKE negotiates security associations and manages key exchange between IPsec peers.
Cisco Explanation:
The Internet Key Exchange (IKE) protocol is a key management standard used when creating an IPsec VPN tunnel. IKE negotiates SAs and calculates shared keys.
What are the two modes used in IKE Phase 1? (Choose two.)
a) Passive
b) Primary
c) Main
d) Secondary
e) Aggressive
Answer:
c) Main
e) Aggressive
Explanation:
Main mode hides peer identities for security; aggressive mode is faster but less private.
Cisco Explanation:
The two modes for IKE Phase 1 are main and aggressive. Main mode takes more time because peer identities are hidden from eavesdroppers.
What takes place during IKE Phase 2 when establishing an IPsec VPN?
a) Traffic is exchanged between IPsec peers.
b) IPsec security associations are exchanged.
c) ISAKMP security associations are exchanged.
d) Interesting traffic is identified.
Answer:
b) IPsec security associations are exchanged.
Explanation:
In IKE Phase 2, peers agree on IPsec SAs that determine how traffic is protected.
Cisco Explanation:
During IKE Phase 2, IPsec peers exchange IPsec SAs that each peer is willing to use to establish the IPsec tunnel.
A site-to-site IPsec VPN is to be configured. Place the configuration steps in order.
Answer:
Configure the ISAKMP policies for IKE Phase 2.
Configure a Crypto Map for the IPsec Policy.
Apply the IPsec Policy.
Verify that the IPsec Tunnel is operational.
Configure the ISAKMP policies for IKE Phase 1.
Explanation:
The IPsec setup follows a sequential order — Phase 1, then Phase 2, map creation, application, and verification.
Cisco Explanation:
Configuration steps:
1️⃣ Configure the ISAKMP policies for IKE Phase 2.
2️⃣ Configure a Crypto Map for the IPsec Policy.
3️⃣ Apply the IPsec Policy.
4️⃣ Verify that the IPsec Tunnel is operational.
5️⃣ Configure the ISAKMP policies for IKE Phase 1.
Correct Steps:
5️⃣ Configure the ISAKMP policies for IKE Phase 1.
1️⃣ Configure the ISAKMP policies for IKE Phase 2.
2️⃣ Configure a Crypto Map for the IPsec Policy.
3️⃣ Apply the IPsec Policy.
4️⃣ Verify that the IPsec Tunnel is operational.
Refer to the exhibit. A VPN tunnel is configured on the WAN between R1 and R2. On which R1 interface(s) would a crypto map be applied in order to create a VPN between R1 and R2?
a) G0/0 and G0/1
b) G0/0
c) All R1 interfaces
d) S0/0/0
Answer:
d) S0/0/0
Explanation:
The crypto map must be applied to the WAN interface where encrypted traffic exits.
Cisco Explanation:
The crypto map is bound to the S0/0/0 R1 interface. It ties the interesting traffic ACL and transform set to the IPsec policy and defines tunnel parameters.
Router R1 has ISAKMP policies numbered 1, 5, 9, and 203. Router R2 only has default policies. How will R1 negotiate the IKE Phase 1 tunnel with R2?
a) R1 and R2 cannot match policies because numbers differ.
b) R1 will attempt to match policy #1 with the most secure matching policy on R2.
c) R1 will try to match policy #203 with the most secure default policy on R2.
d) R1 will begin with policy #1 and match it with R2’s policy #65514.
Answer:
b) R1 will attempt to match policy #1 with the most secure matching policy on R2.
Explanation:
R1 starts with its lowest-numbered (highest priority) policy and tries to match R2’s available policy.
Cisco Explanation:
Peers negotiate starting with the lowest-numbered ISAKMP policy. R1 will attempt to use its policy #1 with R2’s most secure default policy.
When configuring an ISR for a site-to-site VPN, what is the purpose of the crypto map command in interface configuration mode?
a) To configure the transform set
b) To bind the interface to the ISAKMP policy
c) To force IKE Phase 1 negotiations to begin
d) To negotiate the SA policy
Answer:
b) To bind the interface to the ISAKMP policy
Explanation:
The crypto map command attaches the policy to an interface to apply the VPN configuration.
Cisco Explanation:
The crypto map command binds the interface to the ISAKMP policy. Transform sets and negotiations occur in separate steps.
Which statement describes the effect of key length in deterring an attacker from breaking encryption?
a) The length of a key does not affect security.
b) The shorter the key, the harder it is to break.
c) The length of a key will not vary between algorithms.
d) The longer the key, the more key possibilities exist.
Answer:
d) The longer the key, the more key possibilities exist.
Explanation:
Longer keys increase the number of possible combinations, making brute-force attacks harder.
Cisco Explanation:
A 64-bit key might take one year to break, while a 128-bit key could take billions of years. Longer keys mean exponentially greater key possibilities.
Which two statements describe a remote access VPN? (Choose two.)
a) It may require VPN client software on hosts.
b) It requires hosts to send TCP/IP traffic through a VPN gateway.
c) It connects entire networks to each other.
d) It is used to connect individual hosts securely to a company network over the Internet.
e) It requires static configuration of the VPN tunnel.
Answer:
a) It may require VPN client software on hosts.
d) It is used to connect individual hosts securely to a company network over the Internet.
Explanation:
Remote access VPNs connect single users to corporate networks through VPN clients.
Cisco Explanation:
Remote access VPNs support telecommuters and mobile users connecting securely to the company network via client software over the Internet.
Which protocol creates a virtual point-to-point connection to tunnel unencrypted traffic between Cisco routers for multiple protocols?
a) IKE
b) IPsec
c) OSPF
d) GRE
Answer:
d) GRE
Explanation:
GRE encapsulates multiprotocol traffic into IP tunnels but does not encrypt data.
Cisco Explanation:
Generic Routing Encapsulation (GRE) is a tunnelling protocol that encapsulates multiprotocol traffic between routers. GRE does not encrypt data.
How is “tunneling” accomplished in a VPN?
a) New headers from one or more VPN protocols encapsulate the original packets.
b) All packets between hosts are sent on a private physical medium.
c) Packets are disguised to look like other types of traffic.
d) A dedicated circuit is established between the devices.
Answer:
a) New headers from one or more VPN protocols encapsulate the original packets.
Explanation:
Tunnelling wraps original packets with VPN headers to provide routing, authentication, and encryption.
Cisco Explanation:
Packets in a VPN are encapsulated with headers from one or more VPN protocols before being sent across third-party networks. This process is called “tunnelling.”
Which two scenarios are examples of remote access VPNs? (Choose two.)
a) All users at a large branch office can access company resources through a single VPN connection.
b) A small branch office with three employees has a Cisco ASA that is used to create a VPN connection to HQ.
c) A toy manufacturer has a permanent VPN connection to one of its parts suppliers.
d) A mobile sales agent is connecting to the company network via the Internet connection at a hotel.
e) An employee who is working from home uses VPN client software on a laptop in order to connect to the company network.
Answer:
d) A mobile sales agent is connecting to the company network via the Internet connection at a hotel.
e) An employee working from home uses VPN client software on a laptop to connect to the company network.
Explanation:
Remote access VPNs connect individual users securely to a network through client software rather than connecting entire sites.
Cisco Explanation:
Remote access VPNs connect individual users to another network via VPN client software installed on the user device. Site-to-site VPNs are always-on links that connect two sites via VPN gateways.
Which statement accurately describes a characteristic of IPsec?
a) IPsec works at the application layer and protects all application data.
b) IPsec is a framework of standards developed by Cisco that relies on OSI algorithms.
c) IPsec is a framework of proprietary standards that depend on Cisco-specific algorithms.
d) IPsec works at the transport layer and protects data at the network layer.
e) IPsec is a framework of open standards that relies on existing algorithms.
Answer:
e) IPsec is a framework of open standards that relies on existing algorithms.
Explanation:
IPsec is not a single protocol but an open framework that combines standard algorithms for confidentiality, integrity, authentication, and key exchange.
Cisco Explanation:
IPsec can secure a path between two network devices. It provides confidentiality (encryption), integrity (hashing), authentication (IKE), and secure key exchange (Diffie-Hellman).
Which is a requirement of a site-to-site VPN?
a) It requires hosts to use VPN client software to encapsulate traffic.
b) It requires placement of a VPN server at the edge of the company network.
c) It requires a VPN gateway at each end of the tunnel to encrypt and decrypt traffic.
d) It requires a client/server architecture.
Answer:
c) It requires a VPN gateway at each end of the tunnel to encrypt and decrypt traffic.
Explanation:
Site-to-site VPNs connect entire networks using dedicated VPN gateways, not per-host client software.
Cisco Explanation:
Site-to-site VPNs are static tunnels connecting whole networks. VPN gateways encapsulate and decrypt traffic between sites. Hosts are unaware of the tunnel.
Consider the following configuration on a Cisco ASA:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
What is the purpose of this command?
a) To define the ISAKMP parameters that are used to establish the tunnel.
b) To define the encryption and integrity algorithms that are used to build the IPsec tunnel.
c) To define what traffic is allowed through and protected by the tunnel.
d) To define only the allowed encryption algorithms.
Answer:
b) To define the encryption and integrity algorithms that are used to build the IPsec tunnel.
Explanation:
The transform set defines which encryption and authentication algorithms protect IPsec traffic.
Cisco Explanation:
The transform set is negotiated during Phase 2 and defines acceptable encryption and authentication schemes. In this example, ESP provides confidentiality using DES and integrity using SHA-HMAC.
What is needed to define interesting traffic in the creation of an IPsec tunnel?
a) Security associations
b) Hashing algorithm
c) Access list
d) Transform set
Answer:
c) Access list
Explanation:
An access list defines which traffic triggers the establishment of the IPsec tunnel.
Cisco Explanation:
To bring up an IPsec tunnel, an access list with a permit statement identifies interesting traffic. When such traffic is detected, SAs are negotiated.
What is a function of the GRE protocol?
a) To configure the set of encryption and hashing algorithms used for IPsec tunnels
b) To encapsulate multiple OSI Layer 3 protocol packet types inside an IP tunnel
c) To configure the IPsec tunnel lifetime
d) To provide encryption through the IPsec tunnel
Answer:
b) To encapsulate multiple OSI Layer 3 protocol packet types inside an IP tunnel.
Explanation:
GRE encapsulates various network protocols into IP tunnels, but it does not perform encryption.
Cisco Explanation:
GRE supports multiprotocol tunnelling by encapsulating multiple OSI Layer 3 protocol types inside an IP tunnel. GRE enables routing protocols across tunnels but does not provide encryption.
Refer to the exhibit. What HMAC algorithm is being used to provide data integrity?
a) MD5
b) AES
c) SHA
d) DH
Answer:
c) SHA
Explanation:
SHA (Secure Hash Algorithm) verifies data integrity by producing a fixed-length hash of the message.
Cisco Explanation:
The command hash sha indicates that SHA is used for integrity. AES provides confidentiality, DH handles key exchange, and RSA is used for authentication.
Two corporations have completed a merger. The engineer must connect both networks securely without leased lines. Which is the most cost-effective method?
a) Cisco AnyConnect Secure Mobility Client with SSL
b) Cisco Secure Mobility Clientless SSL VPN
c) Frame Relay
d) Remote access VPN using IPsec
e) Site-to-site VPN
Answer:
e) Site-to-site VPN
Explanation:
A site-to-site IPsec VPN securely connects two corporate networks over the Internet, avoiding leased-line costs.
Cisco Explanation:
A site-to-site VPN extends a WAN connection to link entire networks. It’s more economical than Frame Relay or leased lines and better suited than remote-access VPNs for inter-network connectivity.
Refer to the exhibit. What show command displays whether the securityk9 package is installed and the EULA license activated?
a) show running-config
b) show version
c) show interfaces s0/0/0
d) show crypto isakmp policy 1
Answer:
b) show version
Explanation:
show version displays license and feature information, including securityk9 status.
Cisco Explanation:
The show version command reveals technology package statuses. If “securityk9” is active with EvalRightToUse, crypt
What type of traffic is supported by IPsec?
a) IPsec supports all IPv4 traffic.
b) IPsec supports layer 2 multicast traffic.
c) IPsec supports all traffic permitted through an ACL.
d) IPsec only supports unicast traffic.
d) IPsec only supports unicast traffic.
Explanation:
IPsec only supports unicast traffic. If multicast traffic needs to travel through a tunnel, a GRE tunnel will need to be configured between the peers.
-
Questions58
-
Chapter 1 Questions24
-
Chapter 2 Questions25
-
Chapter 3 Questions23
-
Chapter 4 Questions25
-
Module 1-4 Questions73
-
Modules 5-765
-
Modules 8-1049
-
Modules 13-1452
-
Firewalls47
-
Tutorial 611
-
Modules 11-1222
-
Modules 15-1724
-
Modules 18-1922
-
Modules 20-2221
-
Network Security Practice Final64
-
Tutorial Week 913
-
Tutorial 824
-
Tutorial 710
-
Mock Theory A14
-
Internet Security Theory Exam 22/2315
-
Internet Secuirty Theory Exam 25-2615
