1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

Chapter Review

Chapter Review

This chapter looked at steps involved in configuring IPSec for CA support. The steps and related commands are summarized in the following task list:

Task 1 Prepare for IKE and IPSec

  • Step 1–1 Plan for CA support

  • Step 1–2 Determine the IKE (IKE phase one) policies

  • Step 1–3 Determine the IPSec (IKE phase two) policies

  • Step 1–4 Check the current configuration

    show running-configuration

    show isakmp [policy]

    show crypto map

  • Step 1–5 Ensure the network works without encryption

    ping

  • Step 1–6 Ensure access control lists are compatible with IPSec

    show access-lists

Task 2 Configure CA support

  • Step 2–1 Manage the NVRAM memory usage (Optional)

    crypto ca certificate query

  • Step 2–2 Set the router’s time and date

    ntp broadcast client

    sntp broadcast client

    clock set

  • Step 2–3 Configure the router’s host name and domain name

    hostname

    ip domain-name

    ip host

  • Step 2–4 Generate an RSA key pair

    crypto key generate rsa

  • Step 2–5 Declare a CA

    crypto ca identity

    enrollment url

    query url

    crl optional

    enrollment mode ra

    enrollment retry count

    enrollment retry period

  • Step 2–6 Authenticate the CA

    crypto ca authenticate

  • Step 2–7 Request your own certificate

    crypto ca enroll

  • Step 2–8 Save the configuration

    copy running-config startup-config

  • Step 2–9 Monitor and maintain CA interoperability (Optional)

    Request a CRL

    crypto ca crl request

    Delete your router’s RSA keys:

    crypto key zeroize rsa

    Delete both public and private certificates from the configuration:

    no certificate certificate-serial-numberno crypto ca identity

    Delete peer’s public keys:

    no named-key key-nameno addressed-key key-address

  • Step 2–10 Verify the CA support configuration

    show crypto ca certificates

    show crypto key mypubkey rsa

    show crypto key pubkey-chain rsa

Task 3 Configure IKE

  • Step 3–1 Enable or disable IKE

    crypto isakmp enable

  • Step 3–2 Create IKE policies

    crypto isakmp policy

    authentication

    encryption

    hash

    group

    lifetime

  • Step 3–3 Configure preshared keys

    crypto isakmp key

  • Step 3–4 Verify the IKE configuration

    show crypto isakmp policy

Task 4 Configure IPSec

  • Step 4–1 Configure transform set suites

    crypto ipsec transform-set

  • Step 4–2 Configure global IPSec security association lifetimes

    crypto ipsec security-association lifetime

  • Step 4–3 Configure crypto ACLs

    access-list

  • Step 4–4 Configure crypto maps

    crypto map

  • Step 4–5 Apply the crypto maps to the interface

    interface

    crypto map

Task 5 Test and verify IPSec

  • Step 5–1 Display the configured IKE policies

    show crypto isakmp policy

  • Step 5–2 Display the configured transform sets

    show crypto ipsec transform set

  • Step 5–3 Display the current state of the IPSec SAs

    show crypto ipsec sa

  • Step 5–4 Display the configured crypto maps

    show crypto map

  • Step 5–5 Debug IKE events

    debug crypto isakmp

  • Step 5–6 Debug IPSec events

    debug crypto ipsec

Questions

1.?

A digital certificate is conceptually most like which type of document?

  1. Event admission ticket

  2. Vehicle license plate

  3. Passport

  4. Social Security card

C. Passport

2.?

Which of the following is not a common name for a database service running on an existing or dedicated server that allows users to submit and retrieve digital certificates?

  1. Certificate server

  2. CRL

  3. Cert server

  4. Key server

B. CRL

3.?

What does the acronym PKI stand for?

  1. PIX Key Interchange

  2. Private Key Interchange

  3. Public Key Infrastructures

  4. PIX Key Interface

C. Public Key Infrastructures

4.?

Digital certificates are generated by which of the following?

  1. Sending peer

  2. Certificate authority

  3. Receiving peer

  4. The government

B. Certificate authority

5.?

When checking a certificate against a CRL, what happens if a match occurs?

  1. The certificate is accepted

  2. A new CRL is requested

  3. The certificate is rejected

  4. The request is sent to the CA

C. The certificate is rejected-it has been revoked

6.?

Which of the following is a server that acts as a proxy for the CA, so CA functions can continue when the CA is offline or otherwise unavailable?

  1. CRL

  2. CAR

  3. CA

  4. RA

D. RA

7.?

Which of the following is an initiative for furthering open development for certificate-handling protocols that can help ensure interoperability with devices from many vendors?

  1. PKI

  2. CA

  3. LDAP

  4. SCEP

D. SCEP-Simple Certificate Enrollment Protocol

8.?

Which of the following is not a CA provider supported by the Cisco IOS?

  1. Entrust Technologies, Inc.

  2. Symantic

  3. VeriSign

  4. Microsoft

B. Symantic

9.?

Which is the IKE keyword for CA support authentication method?

  1. rsa-sig

  2. pki

  3. rsa-encr

  4. preshare

A. rsa-sig

10.?

Which command specifies that certificates and CRLs should not be stored locally, but should be retrieved from the CA as needed?

  1. no ntp peer ip-address

  2. crypto key generate rsa

  3. crypto ca identity

  4. crypto ca certificate query

D. crypto ca certificate query

11.?

In the following command, what does the word “six” represent?

Rtr1(config)#clock timezone CST -6

  1. The number six is a sequence number

  2. Six hours behind NY standard time

  3. Six hours behind UTC/GMT

  4. Six hours ahead of UTC/GMT

C. Six hours behind UTC/GMT

12.?

Given the following command, how many RSA key pairs will be generated?

Rtr1(config)#crypto key generate rsa usage-keys

  1. 1

  2. 2

  3. 3

  4. 4

B. 2

13.?

Which command is used to define the CA?

  1. crypto ca enroll

  2. crypto ca identity

  3. crypto ca authenticate

  4. crypto key zeroize rsa

B. crypto ca identity

14.?

Which command removes all certificates associated with the CA—the router’s certificate, the CA certificate, and any RA certificates?

  1. no named-key key-name

  2. no crypto ca identity

  3. crypto key zeroize rsa

  4. no certificate

B. no crypto ca identity

15.?

Which of the following is not required for CA support on Cisco IOS devices?

  1. Hostname defined

  2. Special-usage keys ordered

  3. Domain name defined

  4. Software clock set

B. Special-usage keys ordered

Answers

1.?

C. Passport

2.?

B. CRL

3.?

C. Public Key Infrastructures

4.?

B. Certificate authority

5.?

C. The certificate is rejected—it has been revoked

6.?

D. RA

7.?

D. SCEP—Simple Certificate Enrollment Protocol

8.?

B. Symantic

9.?

A. rsa-sig

10.?

D. crypto ca certificate query

11.?

C. Six hours behind UTC/GMT

12.?

B. 2

13.?

B. crypto ca identity

14.?

B. no crypto ca identity

15.?

B. Special-usage keys ordered



BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Part III: Virtual Private Networks (VPNs)
Chapter 9: Cisco IOS IPSec Introduction
Chapter 10: Cisco IOS IPSec for Preshared Keys
Chapter 11: Cisco IOS IPSec Certificate Authority Support
CA Support Overview
Configure CA Support Tasks
RSA Encrypted Nonces Overview
Chapter Review
Chapter 12: Cisco IOS Remote Access Using Cisco Easy VPN
Chapter 13: Cisco VPN Hardware Overview
Chapter 14: Cisco VPN 3000 Remote Access Networks
Chapter 15: Configuring Cisco VPN 3002 Remote Clients
Chapter 16: Cisco VPN 3000 LAN-to-LAN Networks
Part IV: PIX Firewalls
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars