300-410 IPsec Site-to-Site VPN • Complete Question Bank
Complete 300-410 IPsec Site-to-Site VPN question bank — all 0 questions with answers and detailed explanations.
A network engineer runs the following command on Router R1:
R1# show crypto isakmp sa
dst src state conn-id slot status
10.1.1.2 10.1.1.1 MM_NO_STATE 1 0 ACTIVE
Based on this output, what is the problem?
A network engineer runs the following command on Router R1:
R1# show crypto ipsec sa
interface: Tunnel0
Crypto map tag: VPN-MAP, local addr 10.1.1.1protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #send errors 0, #recv errors 0
Based on this output, what is the problem?
A network engineer runs the following command on Router R1:
R1# show crypto isakmp sa
dst src state conn-id slot status
10.1.1.2 10.1.1.1 QM_IDLE 1 0 ACTIVE
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show crypto ipsec sa peer 10.1.1.2
interface: Tunnel0
Crypto map tag: VPN-MAP, local addr 10.1.1.1protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #send errors 0, #recv errors 0
Based on this output, what is the problem?
A network engineer runs the following command on Router R1:
R1# show crypto isakmp policy
Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit
Protection suite of priority 20 encryption algorithm: AES - Advanced Encryption Standard (128 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show crypto ipsec transform-set
Transform set ESP-AES256-SHA: { esp-256-aes esp-sha256-hmac } will negotiate = { Tunnel, },
Transform set ESP-AES128-SHA: { esp-aes esp-sha256-hmac } will negotiate = { Tunnel, },
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show crypto map Crypto Map "VPN-MAP" 10 ipsec-isakmp
Peer = 10.1.1.2 Extended IP access list 100
access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 10.1.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ESP-AES256-SHA,}
Interfaces using crypto map VPN-MAP:
Tunnel0
Based on this output, which statement is correct?
A network engineer runs the following command on Router R1:
R1# show crypto ipsec sa | include pkts
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
Based on this output, what is the problem?
A network engineer runs the following command on Router R1:
R1# show crypto isakmp sa detail
Codes: C - IKEv1, I - IKEv2
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap 1 10.1.1.1 10.1.1.2 ACTIVE aes sha psk 14 23:59:59
Based on this output, which statement is correct?
Given the following partial configuration on router R1:
crypto isakmp policy 10
encryption aes 256 authentication pre-share group 14 lifetime 86400 !
crypto isakmp key cisco123 address 192.168.1.2
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
mode tunnel !
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.2 set transform-set TSET match address 101 !
interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
What is the effect of this configuration?
Consider the following configuration on router R2:
crypto isakmp policy 10
encryption aes 256 authentication pre-share group 14 lifetime 3600 !
crypto isakmp key secretkey address 192.168.1.1
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
mode tunnel !
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.1 set transform-set TSET match address 101 !
interface GigabitEthernet0/1 ip address 192.168.1.2 255.255.255.0 crypto map CMAP
!
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Which statement is true?
Given the partial configuration:
crypto isakmp policy 10
encryption aes 256 authentication pre-share group 14 !
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
mode tunnel !
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.2 set transform-set TSET match address 101 !
interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
What is the effect of the 'crypto isakmp key' command with address 0.0.0.0 0.0.0.0?
Examine this configuration on router R1:
crypto isakmp policy 10
encryption aes 256 authentication pre-share group 14 lifetime 86400 !
crypto isakmp key cisco123 address 192.168.1.2
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
mode tunnel !
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.2 set transform-set TSET match address 101 !
interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
What is missing from this configuration to ensure the tunnel works correctly?
Given this configuration on router R1:
crypto isakmp policy 10
encryption aes 256 authentication pre-share group 14 lifetime 86400 !
crypto isakmp key cisco123 address 192.168.1.2
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
mode tunnel !
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.2 set transform-set TSET match address 101 !
interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
What will happen when traffic from 10.1.1.0/24 to 10.2.2.0/24 is generated?
Consider the following configuration on router R1:
crypto isakmp policy 10
encryption aes 256 authentication pre-share group 14 lifetime 86400 !
crypto isakmp key cisco123 address 192.168.1.2
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
mode tunnel !
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.2 set transform-set TSET match address 101 !
interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
If the remote peer has an ISAKMP policy with encryption 3des, what will happen?
A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:
R1# debug crypto isakmp *Mar 1 00:01:23.456: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (N) NEW SA *Mar 1 00:01:23.457: ISAKMP: Created a peer struct for 192.168.1.2, peer port 500 *Mar 1 00:01:23.457: ISAKMP: New peer created peer = 0x12345678 peer_handle = 0x80000001 *Mar 1 00:01:23.457: ISAKMP: Locking peer struct 0x12345678, refcount 1 for crypto_isakmp_process_block *Mar 1 00:01:23.457: ISAKMP (0:0): SA request profile is (default) *Mar 1 00:01:23.457: ISAKMP: local port 500, remote port 500 *Mar 1 00:01:23.458: ISAKMP (0:0): found peer pre-shared-key matching 192.168.1.2 *Mar 1 00:01:23.458: ISAKMP (0:0): constructed NAT-T vendor ID *Mar 1 00:01:23.458: ISAKMP (0:0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE *Mar 1 00:01:23.458: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE *Mar 1 00:01:23.459: ISAKMP (0:0): processing SA payload. message ID = 0 *Mar 1 00:01:23.459: ISAKMP (0:0): Checking ISAKMP transform 1 against priority 1 policy *Mar 1 00:01:23.459: ISAKMP: encryption DES-CBC *Mar 1 00:01:23.459: ISAKMP: hash SHA *Mar 1 00:01:23.459: ISAKMP: default group 2 *Mar 1 00:01:23.459: ISAKMP: auth pre-share *Mar 1 00:01:23.459: ISAKMP (0:0): atts are not acceptable. Next transforms are not acceptable *Mar 1 00:01:23.460: ISAKMP (0:0): no offers accepted!
What does this output indicate?
A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:
R1# debug crypto ipsec *Mar 1 00:02:34.567: IPSEC(sa_request): , (key eng. msg.) src=10.0.0.1, dst=10.0.0.2, src_proxy=192.168.1.0/255.255.255.0/0/0, dst_proxy=192.168.2.0/255.255.255.0/0/0, *Mar 1 00:02:34.567: IPSEC(validate_proposal): transform proposal (esp-3des esp-sha-hmac) not supported for proxy 192.168.1.0/255.255.255.0/0/0 *Mar 1 00:02:34.567: IPSEC(validate_proposal): proposal doesn't match! *Mar 1 00:02:34.568: IPSEC(create_sa): SA created with (0x1234, 0x5678) but no inbound or outbound SPI
What does this output indicate?
A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:
R1# show crypto isakmp sa detail
IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1001 192.168.1.1 192.168.2.2 ACTIVE des sha pre 2 23:59:21 1002 192.168.1.1 192.168.2.2 ACTIVE 3des sha pre 2 23:58:15
IPv6 Crypto ISAKMP SA
What does this output indicate?
A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:
R1# show crypto ipsec sa detail
interface: Tunnel0
Crypto map tag: CMAP, local addr 192.168.1.1protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer 192.168.2.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none
inbound esp sas: spi: 0x0(0) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 0, flow_id: 0, sibling_flags 80000000, crypto map: CMAP sa timing: remaining key lifetime (k/sec): (0/0) IV size: 8 bytes replay detection support: N
outbound esp sas: spi: 0x0(0) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 0, flow_id: 0, sibling_flags 80000000, crypto map: CMAP sa timing: remaining key lifetime (k/sec): (0/0) IV size: 8 bytes replay detection support: N
What does this output indicate?
A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:
R1# show crypto ipsec transform-set
Transform set combined-des-sha: { esp-des esp-sha-hmac } will negotiate = { Tunnel, }, Transform set myset: { esp-3des esp-sha-hmac } will negotiate = { Tunnel, }, Transform set strong: { esp-aes 256 esp-sha-hmac } will negotiate = { Tunnel, },
What does this output indicate?
A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:
R1# show crypto engine connections active Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqNo 1 IPsec ESP-3DES+SHA 0 0 0 2 IPsec ESP-3DES+SHA 0 0 0 3 IPsec ESP-AES+SHA 0 0 0
What does this output indicate?
A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:
R1# show crypto map Crypto Map "CMAP" 10 ipsec-isakmp
Peer = 192.168.2.2 Extended IP access list 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Current peer: 192.168.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={myset, }
Interfaces using crypto map CMAP:
Tunnel0
What does this output indicate?
A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:
R1# show ip route 192.168.2.0
Routing entry for 192.168.2.0/24 Known via "eigrp 100", distance 90, metric 2684416, type internal Redistributing via eigrp 100 Last update from 10.0.0.2 on Tunnel0, 00:00:23 ago Routing Descriptor Blocks:
* 10.0.0.2, from 10.0.0.2, via Tunnel0
Route metric is 2684416, traffic share count is 1 Total delay is 20000 microseconds, minimum bandwidth is 100000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 1
What does this output indicate?
A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:
R1# show crypto isakmp policy
Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #5 (1536 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
What does this output indicate?