Beruflich Dokumente
Kultur Dokumente
3. f
Table 19-2 IPsec Goals and the Methods Used to Implement Them
Goal
Method That Provides the Feature
Confidentiality
Encryption
Data integrity
Hashing
Peer authentication
Antireplay
6. f
Who Begins the Negotiation?
The initiator sends over all of its IKE Phase 1 policies, and the other VPN peer looks at all of those
policies to see whether any of its own policies match the ones it just received. If there is a matching
policy, the recipient of the negotiations sends back information about which received policy matches,
and they use that matching policy for the IKE Phase 1 tunnel.
1. Eavesdropper can see the above without encryption if the 10.0.0.0 network were
able to traverse the Internet to get over to 172.16.0.0 without encryption. This is
actually possible with something like a GRE tunnel (tunneling without encryption).
7. You can use the default if both sides are using the same policy
a. Remember: We decided on:
a. MD5 hashing
b. PSK authentication
c. DH group 2 for key exchange
d. AES 128-bit key for encryption
b. Defaults are not the same as what we have chosen
a. Click Add
13. After clicking add, choose your algorithms! (Must be the same on other router)
a. Name your transform set
b. Select your Data Integrity Algorithm (AKA Hashing algorithm)
c. Select your Confidentiality algorithm (AKA Encryption algorithm)
d. Click OK
14. Crypto ACL used to select, based on source and destination subnets, which traffic
will be encrypted and sent over the VPN
15. Crypto Map A Crypto ACL is not applied to any interface, but is applied to a
policy, called a Crypto Map. The Crypto Map is then directly applied to an interface
16. Fill in the following fields for traffic that needs to be encrypted by IPsec.
6. f
7. f
5. If saving the R2 config via the CLI, make sure to refresh R2 from CCP to reflect the
new configuration.
6. Also saving both R1 and R2 configuration changes to NVRAM is also
recommended
7. Below we are generating traffic from 10.0.0.0/24 by pinging 172.16.0.4. Successful
ping verifies tunnel is up
8. Subsequent packets use the newly formed IKE Phase 2 (IPsec) tunnel for the lifetime of that tunnel
9. Using the CLI to verify IPsec VPN
9. f
10.f
11.f
1-10
11
1. Which technology is a primary method that IPsec uses to implement data integrity?
a. MD5
b. AES
c. RSA
d. DH
2. What are the source and destination addresses used for an encrypted IPsec packet?
a. Original sender and receiver IP addresses
b. Original sender's and outbound VPN gateway's addresses
c. Sending and receiving VPN gateways
d. Sending VPN gateway and original destination address in the packet
3. Which tunnel is used for private management traffic between the two VPN peers?
a. IPsec
b. IKE Phase 1
c. IKE Phase 2
d. IKE Phase 3
4. Which of the following are negotiated during IKE Phase 1?
a. Hashing
b. DH group
c. Encryption
d. Authentication method
5. What method is used to allow two VPN peers to establish shared secret keys and to
establish those keys over an untrusted network?
a. AES
b. SHA
c. RSA
d. DH
6. Which of the following is not part of the IKE Phase 1 process?
a. Negotiation of the IKE phase 1 protocols
b. Running DH
c. Authenticating the peer
d. Negotiating the transform set to use
7. How is the negotiation of the IPsec (IKE Phase 2) tunnel done securely?
a. Use the IKE Phase 1 tunnel
b. Uses the IPsec tunnel
c. Uses the IKE Phase 2 tunnel
d. Uses RSA
8. What are the two main methods for authenticating a peer as the last step of IKE
Phase 1? (Choose all that apply.)
a. RSA signatures, using digital certificates to exchange public keys
b. PSK (pre-shared key)
c. DH Group 2
d. TCP three-way handshake
9. Which component acts as an if-then statement, looking for packets that should be
encrypted before they leave the interface?
a. Crypto isakmp policy
b. crypto map
c. crypto ipsec transform-set
d. crypto access-list (access list used for cryptography)
10. What is true about symmetrical algorithms and symmetrical crypto access lists used
on VPN peers?
a. Symmetrical algorithms used the same secret (key) to lock and unlock the data.
Symmetrical ACLs between two VPN peers should symmetrically swap the
source and destination portions of the ACL
b. Symmetrical algorithms like RSA use the same secret (key) to lock and unlock
the data. Symmetrical ACLs between two VPN peers should symmetrically
swap the source and destination portions of the ACL
c. Symmetrical algorithms use the same secret (key) to lock and unlock the data.
Symmetrical ACLs between two VPN peers should be identical
d. Symmetrical algorithms use the same secret (key) to lock and unlock the data.
Symmetrical ACLs between two VPN peers require that only symmetrical
algorithms be used for all aspects of IPsec.
11. Which one of the following commands reveal the ACLs, transform sets, and peer
information and indicate which interface is being used to connect to the remote
IPsec VPN peer?
a. Show crypto map
b. show crypto isakmp policy
c. show crypto config
d. show crypto ipsec sa
Page
Number
Text
IPsec goals -
468
Text
469
Text
470
Text
472
Text
473
Text
474
Text
475
Figure 19-8
478
Figure 19-11
480
Figure 19-13
481
482
486
487
VPN load
balancing
(clustering)
Load balancing Allows for the load between deusing an external vices to be shared among them.
load balancer
We have greater flexibility in
choosing load-balancing algorithms than clustering.
Differing hardware and software
revisions can be used.
Security Plus
ASA 5510
Security Plus
Base License
LAN Failover
Interface
Logical Name
Active IP
Subnet Mask
Standby IP
Preferred Role
Select the interface from the list available. This need not be a
physically separate interface from the LAN failover
connection. However, it is recommended. If you select the
same interface as the failover one, there is no need to supply IP
addressing information, only logical nameif
Logical Name
Active IP
Subnet Mask
Enter the subnet mask that corresponds to the active IP address on the stateful link.
Standby IP
Table 19-2 IPsec Goals and the Methods Used to Implement Them
Goal
Method That Provides the Feature
Confidentiality
Encryption
Data integrity
Hashing
Peer authentication
Antireplay
IKE Phase 1 IKE Phase 2 transform set DH group lifetime authentication encryption hashing DH key exchange -
Crypto isakmp
policy 3
Verify which components are included in the crypto map, including the ACL,
the peer address, the transform set, and where the crypto map is applied
Crypto ipsec
transform set myset
This is the beginning sequence to creating an IKE Phase 2 transform set named
MYSET. This is followed by the HMAC (hashing with authentication) and
encryption method (3DES, or AES preferably) that you want to use