Question 1easymultiple choice
Read the full VPN explanation →PCNSE Secure Access and VPN • Complete Question Bank
Complete PCNSE Secure Access and VPN question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit. show vpn gateway Name: Corp-GW Peer IP: 203.0.113.1 Local IP: 198.51.100.1 IKE version: IKEv2 Pre-shared key: **** IKE crypto profile: default DPD: enabled show vpn tunnel Name: Corp-Tun Tunnel interface: tunnel.1 Type: IPSec IKE gateway: Corp-GW IPSec crypto profile: default Proxy IDs: local 10.0.0.0/16, remote 172.16.0.0/16 show routing route Destination: 172.16.0.0/16 Next hop: tunnel.1 Metric: 10 show interface tunnel.1 Interface: tunnel.1 Zone: VPN-Zone Virtual router: default
Refer to the exhibit. GlobalProtect Portal Configuration: Portal Name: corp-portal Authentication Profile: LDAP_Auth Gateway: corp-gw Client Authentication: Required Internal Host Detection: 10.0.0.0/8 GlobalProtect Gateway Configuration: Gateway Name: corp-gw Tunnel Interface: tunnel.3 IPSec Crypto Profile: GP-default Client IP Pool: 192.168.1.100-192.168.1.200 Security Rules: allow all
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Permits traffic matching the rule
Blocks traffic and sends a reset
Silently discards traffic without notification
Sends TCP reset to client only
Sends TCP reset to both client and server
Refer to the exhibit. CLI output: admin@PA> show vpn ipsec tunnel name Corp-VPN tunnel Corp-VPN: id 123, establishment status: initiator Phase1: state UP, IKEv2 Phase2: state DOWN, reason: no matching proposal
Refer to the exhibit. Config snippet from portal: set portal myportal authentication certificate enable yes set portal myportal authentication profile localAuth set portal myportal gateway CorpGateway set shared certificate profile GP-SSL
Refer to the exhibit.
Decryption policy rule:
{
"name": "Skip Decrypt for VPN",
"from": ["any"],
"to": ["any"],
"source": ["10.0.0.0/8"],
"destination": ["any"],
"service": ["application-default"],
"category": ["any"],
"action": "no-decrypt"
}
Additionally, the GlobalProtect gateway is configured with 'Tunnel Inspection' set to 'Required'.admin@PA-5020> show vpn ike-sa Gateway Peer Interface Role Life LifeKB State GW1 10.1.1.1 ethernet1/2 Responder 86400 0 ACTIVE GW1 10.1.1.1 ethernet1/2 Initiator 86400 0 ACTIVE GW1 10.1.1.1 ethernet1/2 Responder 86400 0 ACTIVE
set network tunnel ipsec ipsec-tunnel VPN-Tunnel set tunnel-interface tunnel.1 set proxy-id local 192.168.1.0/24 set proxy-id remote 10.0.0.0/8 set proxy-id protocol any set ike-gateway GW1 set ipsec-crypto-profile AES256-SHA256 commit
2019-04-10 14:23:45, ERROR: ike: IKE negotiation failed: No proposal chosen (1.2.3.4 -> 5.6.7.8) 2019-04-10 14:23:45, WARN: ike: Phase 2 negotiation failed for vpn-tunnel1: no acceptable set of proposals 2019-04-10 14:23:46, INFO: ike: IPSec SA deleted (1.2.3.4 -> 5.6.7.8 spi 0x12345678)
admin@PA-5000> show vpn ipsec-sa Total IPsec SA: 3 Gateway: VPN-GW-1, Tunnel-id: 1, State: active, SPI: 123456, Encapsulation: tunnel Gateway: VPN-GW-2, Tunnel-id: 2, State: init, SPI: 0, Encapsulation: tunnel Gateway: VPN-GW-3, Tunnel-id: 3, State: active, SPI: 789012, Encapsulation: transport Configuration for VPN-GW-2: set network tunnel ipsec ipsec-crypto VPN-GW-2 ike-gateway VPN-GW-2-IKE set network tunnel ipsec ipsec-crypto VPN-GW-2 esp-authentication sha1 set network tunnel ipsec ipsec-crypto VPN-GW-2 esp-encryption aes128 set network tunnel ipsec ipsec-crypto VPN-GW-2 lifetime 3600 set network ike gateway VPN-GW-2-IKE version ikev1 set network ike gateway VPN-GW-2-IKE protocol-version ikev1 set network ike gateway VPN-GW-2-IKE peer-address 10.1.1.1 set network ike gateway VPN-GW-2-IKE pre-shared-key mykey set network ike gateway VPN-GW-2-IKE local-address 10.1.1.2 set network ike gateway VPN-GW-2-IKE local-id 10.1.1.2 set network ike gateway VPN-GW-2-IKE peer-id 10.1.1.1 set network tunnel ipsec ipsec-crypto VPN-GW-2 proxy-id local-ip 192.168.1.0/24 set network tunnel ipsec ipsec-crypto VPN-GW-2 proxy-id remote-ip 192.168.2.0/24