Chapter Review

Chapter Review

This chapter looked at steps involved in configuring IPSec with preshared keys. The steps and related commands are summarized in the following task list.

Task 1 Prepare for IKE and IPSec

  • Step 1-1 Identify IPSec peers

  • Step 1-2 Determine the IKE (IKE Phase 1) policies

  • Step 1-3 Determine the IPSec (IKE Phase 2) policies

  • Step 1-4 Check the current configuration

    show running-config

    show isakmp

    show crypto map

  • Step 1-5 Ensure the network works without encryption

    ping

  • Step 1-6 Ensure access control lists are compatible with IPSec

    show access-lists

    Task 2 Configure IKE

  • Step 2-1 Enable or disable IKE

    crypto isakmp enable

  • Step 2-2 Create IKE policies

    crypto isakmp policy

    authentication

    encryption

    hash

    lifetime

  • Step 2-3 Configure preshared keys

    crypto isakmp key

  • Step 2-4 Verify the IKE configuration

    show crypto isakmp policy

    Task 3 Configure IPSec

  • Step 3-1 Configure transform set suites

    crypto ipsec transform-set

  • Step 3-2 Configure global IPSec security association lifetimes

    crypto ipsec security-association lifetime

  • Step 3-3 Configure crypto ACLs

    access-list

  • Step 3-4 Configure crypto maps

    crypto map

  • Step 3-5 Apply the crypto maps to the interface

    interface

    crypto map

Task 4 Test and verify IPSec

  • Step 4-1 Display the configured IKE policies

    show crypto isakmp policy

  • Step 4-2 Display the configured transform sets

    show crypto ipsec transform set

  • Step 4-3 Display the current state of the IPSec SAs

    show crypto ipsec sa

  • Step 4-4 Display the configured crypto maps

    show crypto map

  • Step 4-5 Debug IKE events

    debug crypto isakmp

  • Step 4-6 Debug IPSec events

    debug crypto ipsec

Questions

1.?

Which one of the following is not one of the tasks required to configure IPSec for Preshared Keys?

  1. Configure IPSec

  2. Prepare for IKE and IPSec

  3. Test and verify IPSec

  4. Configure the crypto map

 D. Configure the crypto map

2.?

Which of the following VPN products would be common for mobile users?

  1. Cisco 1700 router

  2. Cisco 900 Cable/DSL router

  3. Cisco VPN Software Client

  4. Cisco VPN Hardware Client

 C. Cisco VPN Software Client

3.?

Which one of the following is a hybrid protocol that implements the Oakley key exchange?

  1. IPSec

  2. Crypto map

  3. IKE

  4. Hash algorithm

 C . IKE

4.?

Which of the following is a peer authentication method?

  1. 3DES

  2. SHA-1

  3. MD5

  4. Preshared keys

 D. Preshared keys

5.?

Which of the following preparation steps is done using the ping command?

  1. Identify IPSec peers

  2. Check the current configuration

  3. Ensure the network works without encryption

  4. Ensure access control lists are compatible with IPSec

 C. Ensure the network works without encryption

6.?

Which one of the following is not an IKE Phase 1 parameter?

  1. Encryption algorithm

  2. Traffic to protect

  3. Authentication method

  4. DH key exchange group

 B. Traffic to protect

7.?

To make sure the router ACLs are IPSec-compatible, which is not required to be permitted?

  1. Port 500

  2. Port 510

  3. Protocol 51

  4. Protocol 50

 B. Port 510

8.?

If the crypto isakmp policy command were used to create policies with the following priorities, which would be processed first?

  1. 1000

  2. 500

  3. 12

  4. 25

 C. 12

9.?

If the crypto isakmp policy lifetime is set to 43,200, to what does the 43,200 refer?

  1. 43,200 bytes of protected throughput

  2. 43,200 hours

  3. half a day

  4. 43,200 lines of protected throughput

 C. half a day

10.?

Which command shows the IKE policies and default values?

  1. show running-config

  2. show isakmp policy

  3. show crypto ike policy

  4. show crypto isakmp policy

 D. show crypto isakmp policy

11.?

A transform set can contain up to how many transforms?

  1. 4

  2. 6

  3. 3

  4. 1

 C. 3

12.?

Which is not a function of a crypto ACL?

  1. Define the dataflow to be protected by IPSec

  2. Discard inbound traffic that should have been protected by IPSec

  3. Filter outbound traffic for access to the Internet

  4. Define the data flow to pass unprotected by IPSec

 C. Filter outbound traffic for access to the Internet

13.?

Which of the following is not true?

  1. The crypto ACL determines the traffic to be protected

  2. The global crypto map command ties together the IPSec parameters

  3. The interface crypto map command applies the crypto map to an interface

  4. The global crypto map policy command sets the implementation priority

 D. The global crypto map policy command sets the implementation priority

14.?

Which command shows IPSec performance indicators?

  1. show crypto map

  2. show crypto ipsec sa

  3. show crypto ipsec transform-set

  4. show crypto isakmp policy

 B. show crypto ipsec sa

15.?

Which statement is not true about the ipsec-manual form of the crypto map command?

  1. It doesn’t scale well

  2. The result can be insecure because of difficulty in manually creating secure keying material

  3. It enhances the flexibility of the crypto ACLs

  4. Manually established SAs never expire

 C. It enhances the flexibility of the crypto ACLs

Answers

1.?

D. Configure the crypto map

2.?

C. Cisco VPN Software Client

3.?

C. IKE

4.?

D. Preshared keys

5.?

C. Ensure the network works without encryption

6.?

B. Traffic to protect

7.?

B. Port 510

8.?

C. 12

9.?

C. half a day

10.?

D. show crypto isakmp policy

11.?

C. 3

12.?

C. Filter outbound traffic for access to the Internet

13.?

D. The global crypto map policy command sets the implementation priority

14.?

B. show crypto ipsec sa

15.?

C. It enhances the flexibility of the crypto ACLs




Part III: Virtual Private Networks (VPNs)