A network engineer is configuring a site-to-site IPsec VPN between two Cisco routers. The engineer wants to ensure that the VPN tunnel uses the strongest possible encryption and authentication algorithms. The engineer configures the following: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. On the remote router, the engineer configures: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. The tunnel fails to establish. What is the most likely cause?
Trap 1: The lifetimes are set too high; they should be 3600 seconds.
The lifetimes match on both routers, so this is not the cause.
Trap 2: The Diffie-Hellman group 14 is not supported on these routers.
Group 14 is widely supported on modern Cisco routers.
Trap 3: Pre-shared keys cannot be used with AES-256 encryption.
Pre-shared keys are compatible with AES-256.
- A
The lifetimes are set too high; they should be 3600 seconds.
Why wrong: The lifetimes match on both routers, so this is not the cause.
- B
The hash algorithm is not specified and defaults may differ between routers.
Correct because the default hash algorithm can vary, causing a mismatch.
- C
The Diffie-Hellman group 14 is not supported on these routers.
Why wrong: Group 14 is widely supported on modern Cisco routers.
- D
Pre-shared keys cannot be used with AES-256 encryption.
Why wrong: Pre-shared keys are compatible with AES-256.