Chapter 19 - Fundamentals of IP Security (IPSec) Flashcards Preview

Cisco CCNA Security (640-554) > Chapter 19 - Fundamentals of IP Security (IPSec) > Flashcards

Flashcards in Chapter 19 - Fundamentals of IP Security (IPSec) Deck (21):
1

How does IPSec enforce anti-replay?

IPSec VPN's automatically use serial numbers on packets that are sent through the tunnel. If a packet arrives with the same serial number as a previous packet, it is dropped because the receiving end belives it has already processed the packet.

2


Which command shows IKE Phase 1 policiess on a router?


# show crypto isakmp policy

3


Which command shows details of a crypto map and the contents of a IKE Phase 2 transform set?


# show crypto map

4


What command will show you the details of a IKE Phase 1 tunnel?


# show crypto isakmp sa detail

5


What command would you use to get more details on a IKE Phase 2 tunnel?


# show crypto ipsec sa

6


What is another command that will show if IPsec encryption / decryption is working?


# show crypto engine connections active

7


How many "tunnels" are actually setup once IPSec is passing VPN traffic on a site to site link?


There are actually 3

1 is for IKE Phase one traffic (secure communication between both peers) bi-directional

1 is for outbound traffic from Peer A to Peer B

the other is for inbound traffic from Peer B back to Peer A

8


What are the two modes that IKE Phase 1 uses to create the management tunnel between peers?


Main Mode

Aggressive Mode

Main mode is usually preferred because it is more secure.

9


What are the DH Group encryption key sizes?


DH Group 1 = 786 bits

DH Group 2 = 1024 bits

DH Group 5 = 1536 bits

NOTE:  there are no DH3 or DH4.

10


What does HAGLE stand for when referring to IKE Phase 1 negotiation?


H = Hash algorithym (MD5, SHA)

A = Authentication method (PSK or Digital Certs)

G = Diffie-Hellman Group (DH1, DH2, DH5)

L = Lifetime, how long until IKE Phase 1 tunnel should be torn down (seconds or kilobytes)

E = Encryption algorithm (DES, 3DES, AES)

11


When referring to HAGLE and IKE Phase 1 setup, which parameter can be different (and still have the tunnel come up)?


L or Lifetime. If this is different on each end, the shorter time of the two will be used.

12


What is the mode that IKE Phase 2 tunnel is built called?


Quick Mode

13


What is a more proper term for the tunnels that are created by VPN peers?


Security Associations (SA)s

14


What are the policies used for IKE Phase 2 negotiations called?


Transform Sets

15


What is a crypto ACL?


A crypto ACL is used to identify traffic that should be encrypted and sent over a VPN tunnel.

NOTE: crypto ACL's are not applied directly to interfaces but are referenced by a policy called a crypto map. The crypto map is applied to an interface.

16


How would you setup IKE Phase 1 parameters via command line?


# crypto isakmp policy 1

(1 is the policy number, this can be almost anything)

Once in (config-isakmp) mode you can configure HAGLE options.

(config-isakmp)# authentication pre-share (PSK)

(config-isakmp)# hash md5 (MD5 hashing)

(config-isakmp)# group 5 (Diffie-Hellman Group 5)

(config-isakmp)# lifetime 3600 (tear down tunnel in 1 hr)

(config-isakmp)# encr aes 123 (AES 128 bit encryption)

 

17


So you setup an IKE Phase 1 policy that is supposed to use PSKs for authentication, how do you setup the actual PSK?

Check that your isakmp policy is set to require pre-shared keys.

# show crypto isakmp policy

Check where it says authentication method: Pre-shared key

Then in global configuration mode:

(config)#: crypto isakmp key pass123 address 43.0.0.2

This configures a PSK of pass123 to authenticate with the VPN peer at 43.0.0.2

18


How do you configure the IKE Phase 2 tunne parameters for IPSec?

(config) # crypto ipsec transform-set MYSET esp-sha-hmac esp-aes 256

The above command would create a transform set called "MYSET" and would require SHA hashing and AES 256 bit encryption.

*** dont forget to enable "tunnel" mode for the IPSec tunnel to actually encrypt and pass traffic on the client's behalf!

(cfg-crypto-trans)# mode tunnel

19

What two modes will IKE Phase 2 tunnels operate in?


Tunnel Mode - this is the most common usage, as in this mode the VPN peer will encrypt and pass packets on the behalf of clients sending through this peer device.

Transport Mode - rarely used, this mode is for when only the two peers themselves (for example two routers) are going to communicate directly with each other).

20


How do you create a crypto map to use an ACL to identify traffic that should be encrypted through the VPN tunnel?


(config) # crypto map MYMAP 1 ipsec-isakmp

This creates a map called MYMAP (sequence number 1) and requests the serviecs of ISAKMP

Here's how to use the ACL to match traffic:

(config-crypto-map)# match address 100 (100 is the extended ACL number)

if the traffic is matched, use this transform set:

(config-crypto-map)# set transform-set MYSET

(config-crypto-map)# set peer 43.0.0.2

21


What does ISAKMP stand for?


Internet Security Association Key Management Protocol