Take Assessment - Module 3 Exam - CCNP: Implementing Secure Converged Wide -area Networks (Version 5.

0)
1 Which statement is true about Internet Key Exchange (IKE)? An administrator must manually specify all of the IPsec security parameters at both peers. Encryption keys can only change after an IPsec session has ended. IKE provides anti-replay services. Dynamic authentication of peers is not permitted. 2 What are two features of the Internet Key Exchange (IKE) protocol? (Choose two.) automatic key regeneration can be used as a replacement of IPsec negotiation of SA characteristics packet encryption tunnel negotiation 3 Which two statements about the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols are true? (Choos e two.) With the use of ESP in transport mode, only the data portion of the original IP datagram is encrypted. With the use of ESP in transport mode, only the IP header portion of the original IP datagram is encrypted. With the use of ESP in transport mode, both the IP header and data portion of the original IP datagram are encrypted. AH can only be deployed in tr ansport mode. AH can only be deployed in tunnel mode. Tunnel mode and transport mode can be deployed with either ESP or AH or both. 4

Refer to the exhibit. Which set of commands would correctly configure this router to display the output that is generated for policy 20 in the exhibit? crypto isakmp policy 20 hash md5 authentication rsa-sig group 1 lifetime 5000 crypto isakmp policy 20 authentication pre-share lifetime 10000 crypto isakmp policy 20 hash sha authentication rsa-sig group 1

crypto isakmp policy 20 hash sha group 1 lifetime 10000 5

Refer to the exhibit. Which task would specify the encryption algorithm, authentication algorithm, and key exchange method to be used when negotiating a VPN con nection with the remote device? Selecting the interface on which the client connections will terminate. Configuring IKE policies. Configuring an IPSec transform set. Configuring a group policy lookup method. Configuring user authentication. Configuring group policies on the local router. 6

Refer to the exhibit. On the basis of the provided information, which two statements must be true? (Choose two.) Interface Fa1 of router RTB is on the 192.168.200.0 /24 network. The command crypto map MYMAP has been issued on interface Fa1 of router RTA. The command ip address 192.168.191.2 255.255.255.0 has been issued on interface Fa1 of router RTA. Router RTA has been configured with the command access-list 120 permit ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.0.255 . Router RTA has been configured with the command crypto ipsec transform -set MYMAP esp-des. The output was generated by the show crypto isakmp command. 7 What is the first step when launching the SDM Easy VPN Server wizard to set up an IPsec VPN server? Configure the IKE proposals. Configure Diffie-Hellman group 1, 2, or 5. Select the encryption algorithm. Select the interface for terminating IPsec. Select either tunnel or transport mode. 8

Refer to the exhibit. On the basis of the information that is displayed in the VPN Wizard configuration summary, which two statements are true? (Choose two.) A VPN peer must support one of the two IKE policies. A VPN peer must support both IKE policies. The inside FastEthernet interface must have an IP address in subnet 10.1.1.0/24. The inside FastEthernet interface must have an IP address in subnet 10.1.2.0/24. The mode that is chosen encrypts data but does not encrypt the IP header. The mode that is chosen encrypts b oth the data and the IP header. 9 With the Cisco Easy VPN Remote feature, which three devices can be configured to act as remote VPN clients? (Choose three.) Cisco IOS routers Cisco VPN 3002 hardware clients Cisco VPN 3008 concentrators Cisco VPN 3010 hardware clients Cisco IDS sensors Cisco PIX firewalls 10 What are the two components of Cisco Easy VPN? (Choose two.) Cisco Easy VPN GRE

Cisco Easy VPN Router wizard Cisco Easy VPN Remote Cisco Easy VPN One-Click wizard Cisco Easy VPN Server 11 Which statement is true about creating a new VPN connection entry in the Cisco VPN client? Transparent tunneling must be enabled. Mutual Group Authentication is selected by default in the Authentication tab. The Name field in the Group Authentication form in the Authentication tab is case sensitive. The Connection Entry field is case sensitive. 12 High availability must be configured on router RTE using the dead peer detection (DPD) mechanism. DPD must be configured to detect the dead peer as soon as possible, include a 10 -second frequency, and use a 5 -second retry interval. Which global configuration command would correctly configure router RTE to do so? crypto isakmp keepalive 10 crypto isakmp keepalive 10 5 crypto isakmp keepalive 10 on -demand crypto isakmp keepalive 10 5 periodic crypto isakmp keepalive 10 5 on -demand 13 Which statement about high availability for IOS IPsec VPNs is true? Cisco IOS keepalive messages are sent by internal hosts to detect the active Hot Standby Routing Protocol (HSRP) enabled rout er. Dead peer detection (DPD) messages are sent by internal hosts to detect if the active HSRP enabled router is still active. DPD messages are routinely sent between IKE enabled routers when IPsec traffic is flowing. DPD and IOS keepalive features cannot be used in conjunction with multiple peers. When outbound IPsec traffic must be sent and the peer does not respond, the router sends a DPD message to the peer. 14 Which statement is true about secure GRE tunnels? GRE has built-in encryption which provides cryptographically strong confidentiality. GRE has built-in security features to secure any type of traffic. IPsec can be used to secure OSI Layer 3 traffic across a GRE tunnel. The transmission is secure because GRE encapsulates the datagram. 15

Refer to the exhibit. High availability has been configured on router RTE by using the dead peer detection (DPD) mechanism. R outer RTA must be the primary peer, and router RTB the backup peer. Which set of commands would correctly configure this on router RTE? crypto map MYMAP 10 ipsec -isakmp set peer 10.1.2.1 default set peer 10.1.2.2 crypto map MYMAP 10 ipsec -isakmp set peer 10.1.2.1 dynamic set peer 10.1.2.2 crypto map MYMAP 10 ipsec -isakmp set peer 198.133.219.100 default set peer 198.133.219.200 crypto map MYMAP 10 ipsec -isakmp set peer 198.133.219.100 dynamic set peer 198.133.219.200 16

Refer to the exhibit. A tunnel is established between routers RTA and RTB. Which three statements are true about traffic that flows from network A to network B? (Choose three.) Traffic cannot flow between network A and network B until NAT is activated on RTA. Because access-list 101 does not permit TCP or UDP, traffic will not be encrypted. Routers inside the Internet will see packets with the destination IP address of 128.107.155.2. Routers inside the Internet will see packets with the destination IP address of 192.168.0.2. Traffic will go through an IPsec tunnel. Traffic will go through a GRE tunnel. 17

Refer to the exhibit. A GRE tunnel must be configured between routers RTA and RTB. Assume that router RTB has been correctly configured. Which set of commands would correctly configure router RTA to encrypt traffic destined for router RTB? interface Tunnel0 tunnel source FastEthernet0 tunnel destination 172.16.3.1 interface Tunnel0 tunnel source FastEthernet0 tunnel destination 172.16.13.2 interface Tunnel0 tunnel source FastEthernet0 tunnel destination 192.168.23.3 interface Tunnel0 tunnel source Serial0 tunnel destination 172.16.3.1 interface Tunnel0 tunnel source Serial0 tunnel destination 172.16.13.2 interface Tunnel0 tunnel source Serial0 tunnel destination 192.168.23.3 18 Which two statements are true about the use of SDM to configure a site -to-site VPN between two Cisco routers? (Choose two.) The SDM will allow a site -to-site VPN to be configured. However, Cisco IOS command -line interface experience is still required. Although the SDM can configure a site -to-site VPN, it is not a function of the SDM to autodetect misconfigurations and propose fixes. The SDM module that can be used to configure a site -to-site VPN is only available for the Cisco 2800 and 3800 series routers. The SDM can autodetect site -to-site VPN misconfigurations and propose fixes. With the use of SDM, no Cisco IOS command -line interface experience is required to configure a site -to-site VPN. To configure site-to-site VPNs on Cisco 1800 and 2800 series routers, an SDM upgrade must be downloaded from www.cisco.com. 19 Which three statements about GRE tunnels over IPsec are true? (Choose three.)

GRE allows the use of routing protocols across the tunnel. GRE is a tunneling protocol developed by the ISO. GRE has very secure protocols built -in to provide secure transit of traffic across the tunnel. GRE tunnels are stateless. GRE tunnels can be used to encapsulate IP, IPX, and AppleTalk protocols. GRE tunnels over IPsec will not encrypt other Layer 3 protocols such as IPX. 20 Which statement about transparent tunneling is true when a new VPN connection entry is made in the Cisco VPN client? When IPsec over UDP is selected, the port number is negotiated. When IPsec over TCP is selected, the port number is negotiated. The default mode is IPsec over TCP. When IPsec over TCP is selected, the port numbers of the client and the gateway do not have to match.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.