This chapter looked at steps involved in configuring IPSec with preshared keys. The steps and related commands are summarized in the following task list.
Task 1 Prepare for IKE and IPSec
Step 1-1 Identify IPSec peers
Step 1-2 Determine the IKE (IKE Phase 1) policies
Step 1-3 Determine the IPSec (IKE Phase 2) policies
Step 1-4 Check the current configuration
show running-config
show isakmp
show crypto map
Step 1-5 Ensure the network works without encryption
ping
Step 1-6 Ensure access control lists are compatible with IPSec
show access-lists
Task 2 Configure IKE
Step 2-1 Enable or disable IKE
crypto isakmp enable
Step 2-2 Create IKE policies
crypto isakmp policy
authentication
encryption
hash
lifetime
Step 2-3 Configure preshared keys
crypto isakmp key
Step 2-4 Verify the IKE configuration
show crypto isakmp policy
Task 3 Configure IPSec
Step 3-1 Configure transform set suites
crypto ipsec transform-set
Step 3-2 Configure global IPSec security association lifetimes
crypto ipsec security-association lifetime
Step 3-3 Configure crypto ACLs
access-list
Step 3-4 Configure crypto maps
crypto map
Step 3-5 Apply the crypto maps to the interface
interface
crypto map
Task 4 Test and verify IPSec
Step 4-1 Display the configured IKE policies
show crypto isakmp policy
Step 4-2 Display the configured transform sets
show crypto ipsec transform set
Step 4-3 Display the current state of the IPSec SAs
show crypto ipsec sa
Step 4-4 Display the configured crypto maps
show crypto map
Step 4-5 Debug IKE events
debug crypto isakmp
Step 4-6 Debug IPSec events
debug crypto ipsec
1.? |
Which one of the following is not one of the tasks required to configure IPSec for Preshared Keys?
|
|
2.? |
Which of the following VPN products would be common for mobile users?
|
|
3.? |
Which one of the following is a hybrid protocol that implements the Oakley key exchange?
|
|
4.? |
Which of the following is a peer authentication method?
|
|
5.? |
Which of the following preparation steps is done using the ping command?
|
|
6.? |
Which one of the following is not an IKE Phase 1 parameter?
|
|
7.? |
To make sure the router ACLs are IPSec-compatible, which is not required to be permitted?
|
|
8.? |
If the crypto isakmp policy command were used to create policies with the following priorities, which would be processed first?
|
|
9.? |
If the crypto isakmp policy lifetime is set to 43,200, to what does the 43,200 refer?
|
|
10.? |
Which command shows the IKE policies and default values?
|
|
11.? |
A transform set can contain up to how many transforms?
|
|
12.? |
Which is not a function of a crypto ACL?
|
|
13.? |
Which of the following is not true?
|
|
14.? |
Which command shows IPSec performance indicators?
|
|
15.? |
Which statement is not true about the ipsec-manual form of the crypto map command?
|
|
Answers
1.? |
D. Configure the crypto map |
2.? |
C. Cisco VPN Software Client |
3.? |
C. IKE |
4.? |
D. Preshared keys |
5.? |
C. Ensure the network works without encryption |
6.? |
B. Traffic to protect |
7.? |
B. Port 510 |
8.? |
C. 12 |
9.? |
C. half a day |
10.? |
D. show crypto isakmp policy |
11.? |
C. 3 |
12.? |
C. Filter outbound traffic for access to the Internet |
13.? |
D. The global crypto map policy command sets the implementation priority |
14.? |
B. show crypto ipsec sa |
15.? |
C. It enhances the flexibility of the crypto ACLs |