Chapter Review

Chapter Review

This chapter looked at steps involved in configuring IPSec for CA support. The steps and related commands are summarized in the following task list:

Task 1 Prepare for IKE and IPSec

  • Step 1–1 Plan for CA support

  • Step 1–2 Determine the IKE (IKE phase one) policies

  • Step 1–3 Determine the IPSec (IKE phase two) policies

  • Step 1–4 Check the current configuration

    show running-configuration

    show isakmp [policy]

    show crypto map

  • Step 1–5 Ensure the network works without encryption


  • Step 1–6 Ensure access control lists are compatible with IPSec

    show access-lists

Task 2 Configure CA support

  • Step 2–1 Manage the NVRAM memory usage (Optional)

    crypto ca certificate query

  • Step 2–2 Set the router’s time and date

    ntp broadcast client

    sntp broadcast client

    clock set

  • Step 2–3 Configure the router’s host name and domain name


    ip domain-name

    ip host

  • Step 2–4 Generate an RSA key pair

    crypto key generate rsa

  • Step 2–5 Declare a CA

    crypto ca identity

    enrollment url

    query url

    crl optional

    enrollment mode ra

    enrollment retry count

    enrollment retry period

  • Step 2–6 Authenticate the CA

    crypto ca authenticate

  • Step 2–7 Request your own certificate

    crypto ca enroll

  • Step 2–8 Save the configuration

    copy running-config startup-config

  • Step 2–9 Monitor and maintain CA interoperability (Optional)

    Request a CRL

    crypto ca crl request

    Delete your router’s RSA keys:

    crypto key zeroize rsa

    Delete both public and private certificates from the configuration:

    no certificate certificate-serial-numberno crypto ca identity

    Delete peer’s public keys:

    no named-key key-nameno addressed-key key-address

  • Step 2–10 Verify the CA support configuration

    show crypto ca certificates

    show crypto key mypubkey rsa

    show crypto key pubkey-chain rsa

Task 3 Configure IKE

  • Step 3–1 Enable or disable IKE

    crypto isakmp enable

  • Step 3–2 Create IKE policies

    crypto isakmp policy






  • Step 3–3 Configure preshared keys

    crypto isakmp key

  • Step 3–4 Verify the IKE configuration

    show crypto isakmp policy

Task 4 Configure IPSec

  • Step 4–1 Configure transform set suites

    crypto ipsec transform-set

  • Step 4–2 Configure global IPSec security association lifetimes

    crypto ipsec security-association lifetime

  • Step 4–3 Configure crypto ACLs


  • Step 4–4 Configure crypto maps

    crypto map

  • Step 4–5 Apply the crypto maps to the interface


    crypto map

Task 5 Test and verify IPSec

  • Step 5–1 Display the configured IKE policies

    show crypto isakmp policy

  • Step 5–2 Display the configured transform sets

    show crypto ipsec transform set

  • Step 5–3 Display the current state of the IPSec SAs

    show crypto ipsec sa

  • Step 5–4 Display the configured crypto maps

    show crypto map

  • Step 5–5 Debug IKE events

    debug crypto isakmp

  • Step 5–6 Debug IPSec events

    debug crypto ipsec



A digital certificate is conceptually most like which type of document?

  1. Event admission ticket

  2. Vehicle license plate

  3. Passport

  4. Social Security card

 C. Passport


Which of the following is not a common name for a database service running on an existing or dedicated server that allows users to submit and retrieve digital certificates?

  1. Certificate server

  2. CRL

  3. Cert server

  4. Key server



What does the acronym PKI stand for?

  1. PIX Key Interchange

  2. Private Key Interchange

  3. Public Key Infrastructures

  4. PIX Key Interface

 C. Public Key Infrastructures


Digital certificates are generated by which of the following?

  1. Sending peer

  2. Certificate authority

  3. Receiving peer

  4. The government

 B. Certificate authority


When checking a certificate against a CRL, what happens if a match occurs?

  1. The certificate is accepted

  2. A new CRL is requested

  3. The certificate is rejected

  4. The request is sent to the CA

 C. The certificate is rejected-it has been revoked


Which of the following is a server that acts as a proxy for the CA, so CA functions can continue when the CA is offline or otherwise unavailable?

  1. CRL

  2. CAR

  3. CA

  4. RA

 D. RA


Which of the following is an initiative for furthering open development for certificate-handling protocols that can help ensure interoperability with devices from many vendors?

  1. PKI

  2. CA

  3. LDAP

  4. SCEP

 D. SCEP-Simple Certificate Enrollment Protocol


Which of the following is not a CA provider supported by the Cisco IOS?

  1. Entrust Technologies, Inc.

  2. Symantic

  3. VeriSign

  4. Microsoft

 B. Symantic


Which is the IKE keyword for CA support authentication method?

  1. rsa-sig

  2. pki

  3. rsa-encr

  4. preshare

 A. rsa-sig


Which command specifies that certificates and CRLs should not be stored locally, but should be retrieved from the CA as needed?

  1. no ntp peer ip-address

  2. crypto key generate rsa

  3. crypto ca identity

  4. crypto ca certificate query

 D.  crypto ca certificate query


In the following command, what does the word “six” represent?

Rtr1(config)#clock timezone CST -6 
  1. The number six is a sequence number

  2. Six hours behind NY standard time

  3. Six hours behind UTC/GMT

  4. Six hours ahead of UTC/GMT

 C. Six hours behind UTC/GMT


Given the following command, how many RSA key pairs will be generated?

Rtr1(config)#crypto key generate rsa usage-keys
  1. 1

  2. 2

  3. 3

  4. 4

 B. 2


Which command is used to define the CA?

  1. crypto ca enroll

  2. crypto ca identity

  3. crypto ca authenticate

  4. crypto key zeroize rsa

 B.  crypto ca identity


Which command removes all certificates associated with the CA—the router’s certificate, the CA certificate, and any RA certificates?

  1. no named-key key-name

  2. no crypto ca identity

  3. crypto key zeroize rsa

  4. no certificate

 B.  no crypto ca identity


Which of the following is not required for CA support on Cisco IOS devices?

  1. Hostname defined

  2. Special-usage keys ordered

  3. Domain name defined

  4. Software clock set

 B. Special-usage keys ordered



C. Passport




C. Public Key Infrastructures


B. Certificate authority


C. The certificate is rejected—it has been revoked




D. SCEP—Simple Certificate Enrollment Protocol


B. Symantic


A. rsa-sig


D. crypto ca certificate query


C. Six hours behind UTC/GMT


B. 2


B. crypto ca identity


B. no crypto ca identity


B. Special-usage keys ordered

Part III: Virtual Private Networks (VPNs)