Welcome to download the newest Jumpexam 070-463 VCE dumps: http://www.jumpexam.com/070-463.html
The Flydumps New Cisco 642-825 practice tests helps the user to keep a check on their learning and understanding and improve for the Cisco 642-825 exam. Flydumps makes you pass your exam much easier.
QUESTION 50
The Certkiller WAN is shown below:
Part of the Certkiller 2 router configuration is shown below:
MPLS must be enabled on all routers in the Certkiller MPLS domain that consists of Cisco routers and equipment of other vendors. What MPLS distribution protocol(s) should be used on router R2 FastEthernet interface Fa0/0 so that the Label Information Base (LIB) table is populated across the MPLS domain?
A. Only TDP should be enabled on Fa0/0 interface.
B. MPLS cannot be enabled in a domain consisting of Cisco and non-Cisco devices.
C. Both distribution protocols LDP and TDP should be enabled on the Fa0/0 interface.
D. Only LDP should be enabled on Fa0/0 interface.
E. None of the above
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Enable Tag Distribution Protocol (TDP) or Label Distribution Protocol (LDP) on the interface by using either tag switching or label switching. You enable the support for MPLS on a device by using mpls ip global configuration command, although this should be on by default, and then individually on every frame mode interface that participates in MPLS processes.
MPLS support is enabled by default in Cisco routers. MPLS can be disabled using the no mpls ip interface configuration command. You must configure MPLS individually on every frame mode interface that will participate in MPLS using the mpls ip command in interface configuration mode. After enabling MPLS on the interface, you must select the label distribution protocol using the mpls label protocol command in interface configuration mode. Router(config-if)#mpls label protocol [ tdp | ldp | both ] : Starts selected label distribution protocol on the specified interface.
QUESTION 51
A new Certkiller router was configured with the following commands:
The configuration above was found on an Internet Service Provider’s (ISP) Multiprotocol Label Switching (MPLS) network. What is its purpose?
A. To prevent customers from running TDP with the ISP routers
B. To prevent customers from running LDP with the ISP routers
C. To prevent other ISPs from running LDP with the ISP routers
D. To prevent man-in-the-middle attacks
E. To use CBAC to shut down Distributed Denial of Service attacks
F. To use IPS to protect against session-replay attacks
G. None of the above
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Tag Distribution Protocol (TDP) uses 711 port number and Label Distribution Protocol (LDP) uses 646 port
number. In Exhibit deny to port number 711 means deny to TDP.
QUESTION 52
The following output was displayed on router Certkiller 1: On the basis of the command output shown above, which statement is true?
A. Traffic associated with local label 26 will be forwarded to an interface that is not associated with label switching.
B. Traffic associated with local label 29 will be forwarded to an interface that is not associated with label switching.
C. The value 32 is a local label ID.
D. Traffic associated with local label 30 will have a next hop of 10.250.0.97/32.
E. None of the above.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
To display the contents of the Multiprotocol Label Switching (MPLS) Label Forwarding Information Base
(LFIB), use the show mpls forwarding-table command in privileged EXEC mode.
showmpls forwarding-table [network {mask | length} | labels label [- label] | interface interface | next-hop
address | lsp-tunnel [tunnel-id]] [vrf vrf-name] [detail]
Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1612/ products_feature_guide09186a008008093f.html#
QUESTION 53
The Certkiller WAN is depicted below:
MPLS and LDP are enabled on routers Certkiller 2 and Certkiller 3 and all interfaces are enabled. However, the routers will not establish an LDP neighbor session. Troubleshooting has revealed that there is forwarding information in the FIB table, but there is no forwarding information in the LFIB table. Which issue would cause this problem?
A. IP CEF is not enabled on one or both of the routers.
B. One or both of the routers are using the loopback address as the LDP ID and the loopback is not being advertised by the IGP.
C. BGP neighbor sessions have not been configured on one or both of the routers.
D. MPLS has been enabled on the interface but has not been enabled globally on one or both of the routers.
E. None of the above
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: MPLS-switched packets are forwarded based on information contained in the Label Forwarding Information Base (LFIB). A packet leaving a router over a label-switched interface will receive labels with values specified by the LFIB. Labels are associated with destinations in the LFIB according to Forwarding Equivalence Classes (FECs). A FEC is a grouping of IP packets which travel over the same path and receive the same forwarding treatment. The most simple example of a FEC is all packets traveling to a certain subnet. Another example could be all packets with a given IP precedence going to an Interior Gateway Protocol (IGP) next hop associated with a group of Border Gateway Protocol (BGP) routes. The Label Information Base (LIB) is a structure which stores labels received from all Label Distribution Protocol (LDP) or Tag Distribution Protocol (TDP) neighbors. For Cisco implementation, labels are sent for all routes in a given router’s routing table (with the exception of BGP routes), to all LDP or TDP neighbors. All labels received from neighbors are retained in the LIB, whether or not they are used. If the labels are received from a downstream neighbor for their FEC, then the labels stored in the LIB are used for packet forwarding by the LFIB. Meaning the labels used for forwarding are those received from a router’s next hop to a destination, according to the router’s Cisco Express Forwarding (CEF) and routing tables. If label bindings are received from a downstream neighbor for prefixes (including subnet mask) which do not appear in a router’s routing and CEF tables, these bindings will not be used. In a similar manner, if a router advertises labels for a subnet/subnet mask pair, which do not correspond to the routing updates also advertised by this router for the same subnet/subnet mask pair, these labels will not be used by upstream neighbors and the Label Switched Path (LSP) between these devices will fail.
QUESTION 54
Two Certkiller routers are configured as IPSec VPN peers. Which IPsec VPN term describes a policy contract that specifies how two peers will use IPsec security services to protect network traffic?
A. Encapsulation security payload
B. Security Association
C. Transform set
D. Authentication Header
E. None of the above
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: A Virtual Private Network (VPN) is defined as network connectivity deployed on a shared infrastructure with the same policies and security as a private network. A VPN can be between two end systems, or it can be between two or more networks. A VPN can be built using tunnels and encryption. VPNs can occur at any layer of the OSI protocol stack. A VPN is an alternative WAN infrastructure that replaces or augments existing private networks that use leased-line or enterprise-owned Frame Relay or ATM networks. VPNs provide three critical functions:
1.
Confidentiality (encryption) – The sender can encrypt the packets before transmitting them across a network. By doing so, no one can access the communication without permission. If intercepted, the communications cannot be read.
2.
Data integrity – The receiver can verify that the data was transmitted through the Internet without being altered.
3.
Origin authentication – The receiver can authenticate the source of the packet, guaranteeing and certifying the source of the information. Security Association (SA) – A set of policy and key(s) used to protect information. The ISAKMP SA is the shared policy and key(s) used by the negotiating peers in this protocol to protect their communication
QUESTION 55
Certkiller uses GRE tunnels over an IPSec VPN. Which three statements are correct about a GRE over IPsec VPN tunnel configuration on Cisco IOS routers? (Select three)
A. Crypto maps must specify the use of IPsec transport mode.
B. A crypto ACL will dictate the GRE traffic to be encrypted between the two IPsec peers.
C. A crypto ACL will dictate the ISAKMP and IPsec traffic to be encrypted between the two IPsec peers.
D. A dynamic routing protocol can be configured to run over the tunnel interface.
E. The crypto map must be applied on the tunnel interface.
F. The crypto map must be applied on the physical interface.
Correct Answer: BDF Section: (none) Explanation
Explanation/Reference:
Explanation:
Although the Internet has created new opportunities for companies to streamline business processes,
enter new markets, and work with partners and customers more effectively, it has also created a greater
reliance on networks and a need to protect against a wide range of security threats. The main function that
a VPN offers for this protection is encryption through a tunnel:
1.
Tunnels provide logical, point-to-point connections across a connectionless IP network. This enables the
use of advanced security features. Tunnels for VPN solutions employ encryption to protect data from being
viewed by unauthorized entities and to perform multiprotocol encapsulation, if necessary. Encryption is
applied to the tunneled connection to make data legible only to authorized senders and receivers.
2.
Encryption ensures that messages cannot be read by anyone but the intended recipient. As more
information travels over public networks, the need for encrypting the information becomes more important.
Encryption transforms content information into a ciphertext that is meaningless in its encrypted form. The
decryption function restores the ciphertext back into content information intended for the recipient.
Cisco Generic Routing Encapsulation
This multiprotocol carrier protocol encapsulates IP, CLNP, and any other protocol packets inside IP
tunnels.
With GRE tunneling, a Cisco router at each site encapsulates protocol-specific packets in an IP header,
creating a virtual point-to-point link to Cisco routers at other ends of an IP cloud, where the IP header is
removed.
By connecting multiprotocol sub networks in a single-protocol backbone environment, IP tunneling allows
network expansion across a single-protocol backbone environment. GRE tunneling allows desktop
protocols to take advantage of the enhanced route selection capabilities of IP.
GRE does not provide encryption and can be monitored with a protocol analyzer.
QUESTION 56
You have been tasked with configuring a new router to be added to te Certkiller IPSec VPN. What are the four main steps in configuring an IPsec site-to-site VPN tunnel on Cisco routers? (Choose four)
A. Create a crypto access list to define which traffic should be sent through the tunnel.
B. Create a crypto map and apply it to the outgoing interface of the VPN device.
C. Define the ISAKMP policy.
D. Define the pre-shared key used in the DH (Diffie-Hellman) exchange.
E. Define the IPsec transform set.
F. Configure dynamic routing over the IPsec tunnel interface.
Correct Answer: ABCE Section: (none) Explanation
Explanation/Reference:
Explanation:
IPsec provides a mechanism for secure data transmission over IP networks, ensuring confidentiality,
integrity, and authenticity of data communications over unprotected networks such as the Internet. IPsec
encompasses a suite of protocols and is not bound to any specific encryption or authentication algorithms,
key generation technique, or security association (SA). IPsec provides the rules while existing algorithms
provide the encryption, authentication, key management, and so on.
*
Determine the key distribution method – Determine the key distribution method based on the numbers and locations of IPSec peers. For a small network, keys may be distributed manually. For larger networks, use a CA server to support scalability of IPSec peers. Then, configure the Internet Security Association Key Management Protocol (ISAKMP) to support the selected key distribution method.
*
Determine the authentication method – Determine the authentication method based on the key distribution method. Cisco IOS software supports either pre-shared keys, RSA encrypted nonces, or RSA signatures to authenticate IPSec peers. This lesson focuses on using pre-shared keys.
*
Identify IPSec peer IP addresses and host names
-Determine the details of all of the IPSec peers that will use ISAKMP and pre-shared keys for establishing security associations (SAs). This information will be used to configure IKE.
* Determine ISAKMP policies for peers – An ISAKMP policy defines a combination or “suite” of security parameters to be used during the ISAKMP negotiation. Each ISAKMP negotiation begins with each peer agreeing on a common, or shared, ISAKMP policy. Determine the ISAKMP policy suites in advance of configuration. Then, configure IKE to support the policy details that have been determined. Examples of ISAKMP policy details are included in the following list:
o Encryption algorithm
o Hash algorithm
o IKE SA lifetime
QUESTION 57
Certkiller uses IPSec technology throughout their network. Which three benefits do IPsec VPNs provide? (Select three)
A. Data integrity
B. QoS
C. Confidentiality
D. Adaptive threat defense
E. Origin authentication
F. A fully-meshed topology with low overhead
Correct Answer: ACE Section: (none) Explanation
Explanation/Reference:
Explanation:
IPsec provides a mechanism for secure data transmission over IP networks, ensuring confidentiality,
integrity, and authenticity of data communications over unprotected networks such as the Internet. IPsec
encompasses a suite of protocols and is not bound to any specific encryption or authentication algorithms,
key generation technique, or security association (SA). IPsec provides the rules while existing algorithms
provide the encryption, authentication, key management, and so on.
QUESTION 58
The branch Certkiller locations are connected via an IPSec VPN. Which three IPsec VPN statements are true? (Select three)
A. Main mode is the method used for the IKE phase two security association negotiations.
B. To establish IKE SA, main mode utilizes six packets while aggressive mode utilizes only three packets.
C. IKE keepalives are unidirectional and sent every ten seconds.
D. Quick mode is the method used for the IKE phase one security association negotiations.
E. IKE uses the Diffie-Hellman algorithm to generate symmetrical keys to be used by IPsec peers.
F. IPsec uses the Encapsulating Security Protocol (ESP) or the Authentication Header (AH) protocol for exchanging keys.
Correct Answer: BCE Section: (none) Explanation
Explanation/Reference:
Explanation: IPSec is the choice for secure corporate VPNs. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services using Internet Key Exchange (IKE) to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec IPSec is the main option featured in this topic for securing enterprise VPNs. Unfortunately, IPSec supports only IP unicast traffic. If IP-unicast packets are being tunneled, then a single encapsulation provided by IPSec is sufficient and much less complicated to configure and troubleshoot.
QUESTION 59
Certkiller uses GRE tunnels over their IPSec VPN. Which three features are benefits of using GRE tunnels in conjunction with IPsec for building site-to-site VPNs? (Select three)
A. It supports multi-protocol (non-IP) traffic over the tunnel
B. It uses Virtual Tunnel Interface (VTI) to simplify the IPsec VPN configuration
C. It allows dynamic routing over the tunnel
D. It reduces IPsec headers overhead since tunnel mode is used
E. It simplifies the ACL used in the crypto map
Correct Answer: ACE Section: (none) Explanation
Explanation/Reference:
Explanation: Cisco Generic Routing Encapsulation GRE know as OSI Layer3 tunneling protocol: Uses IP for transport Use an additional header to support any other OSI Layer3 protocol as Payload (e.g.,IP, IPX, AppleTalk) GRE is a tunneling protocol initially developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Routing protocols are often used across the tunnel to enable dynamic exchange or routing information in the virtual network. The multiprotocol functionality is provided by adding an additional GRE header between the payload and the tunneling IP header. This multiprotocol carrier protocol encapsulates IP, CLNP, and any other protocol packets inside IP tunnels. With GRE tunneling, a Cisco router at each site encapsulates protocol-specific packets in an IP header, creating a virtual point-to-point link to Cisco routers at other ends of an IP cloud, where the IP header is removed. By connecting multiprotocol sub networks in a single-protocol backbone environment, IP tunneling allows network expansion across a single-protocol backbone environment. GRE tunneling allows desktop protocols to take advantage of the enhanced route selection capabilities of IP. GRE does not provide encryption and can be monitored with a protocol analyzer
QUESTION 60
Certkiller uses GRE tunnels to pass routing protocol traffic across its IPSec VPN. Which IPsec mode will encrypt a GRE tunnel to provide multiprotocol support and reduced overhead?
A. Transport
B. Tunnel
C. Multipoint GRE
D. 3DES
E. None of the above
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: The main function of GRE is to provide powerful yet simple tunneling. It supports any OSI Layer 3 protocol as payload, for which it provides virtual point-to-point connectivity. It also allows the usage of routing protocols across the tunnel. The main limitation of GRE is that it lacks strong security functionality. It only provides basic plaintext authentication using the tunnel key, which is not secure, and tunnel source and destination addresses. A reasonably secure VPN requires these characteristics that are not provided by GRE: Cryptographically strong confidentiality (that is, encryption) Data source authentication that is not vulnerable to man-in-the-middle attacks Data integrity assurance that is not vulnerable to man-in-the-middle attacks and spoofing
QUESTION 61
The Certkiller Easy VPN network was configured with RRI. Which statement describes Reverse Route Injection (RRI)?
A. A static route is created on the Cisco Easy VPN server for the internal IP address of each VPN client.
B. A static route that points towards the Cisco Easy VPN server is created on the remote client.
C. A default route is injected into the route table of the remote client.
D. A default route is injected into the route table of the Cisco Easy VPN server.
E. None of the above.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: Reverse Route Injection (RRI) to inject remote networks into an Interior Gateway Protocol (IGP) and distribute it to other routers in the network. RRI should be used when the following conditions occur:-
-More than one VPN server is used-Per-client static IP addresses are used with some clients (instead of using per-VPN-server IP pools)
-RRI ensures the creation of static routes.
-Redistributing static routes into an IGP allows the servers siterouters to find the appropriate Easy VPN Server for return traffic to clients.
QUESTION 62
Two Certkiller IPsec routers use DH to establish a VPN connection. Which feature is an accurate description of the Diffie-Hellman (DH) exchange between two IPsec peers?
A. It allows the two peers to communicate its digital certificate to each other during IKE phase 1
B. It allows the two peers to jointly establish a shared secret key over an insecure communications channel
C. It allows the two peers to negotiate its IPsec transforms during IKE phase 2
D. Itallows the two peers to communicate the pre-shared secret key to each other during IKE phase 1
E. It allows the two peers to authenticate each other over an insecure communications channel
F. None of the above
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: One of the most important aspects of creating a secure VPN involves exchanging the keys. The Diffie-Hellman algorithm provides a way for two users, A and B, to establish a shared secret key that only they know. The shared secret key can be established even though users A and B are communicating over an insecure channel. This secret key is then used to encrypt data using the secret key encryption algorithm selected by A and B. Two numbers which are shared are “p”, a prime number and “g”, a number less than “p” with some restrictions. A and B each create a large random number that is kept secret, called “XA” and “XB”. The Diffie-Hellman algorithm is now performed. Both A and B carry out computations and exchange results. The final result is a common value “K”. A user who knows “p” or “g” cannot easily calculate the shared secret value, because of the difficulty in factoring large prime numbers. It is important to note that A and B have no method for determining each other’s identity. The exchange is vulnerable to a man-in-the-middle attack. Diffie-Hellman provides for confidentiality but does not provide for authentication. Authentication is achieved by the use of digital signatures in the Diffie-Hellman message exchanges
QUESTION 63
Certkiller uses GRE tunnels over their IPSec VPN to pass routing information. Which statement is true about an IPsec/GRE tunnel?
A. Crypto map ACL is not needed to match which traffic will be protected.
B. GRE encapsulation occurs before the IPsec encryption process.
C. The GRE tunnel source and destination addresses are specified within the IPsec transform set.
D. An IPsec/GRE tunnel must use IPsec tunnel mode.
E. None of the above.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: The main function of GRE is to provide powerful yet simple tunneling. It supports any OSI Layer 3 protocol as payload, for which it provides virtual point-to-point connectivity. It also allows the usage of routing protocols across the tunnel. The main limitation of GRE is that it lacks strong security functionality. It only provides basic plaintext authentication using the tunnel key, which is not secure, and tunnel source and destination addresses. A reasonably secure VPN requires these characteristics that are not provided by GRE: Cryptographically strong confidentiality (that is, encryption) Data source authentication that is not vulnerable to man-in-the-middle attacks Data integrity assurance that is not vulnerable to man-in-the-middle attacks and spoofing
QUESTION 64
AN IPSec secure tunnel is being built between routers CK1 and CK2 . In IPSec, what are the common services provided by Authentication Header (AH) and Encapsulation Security Payload (ESP)?
A. Data origin authentication, confidentiality, and anti-replay service
B. Confidentiality, data integrity, and anti-replay service
C. Data integrity, data origin authentication, and anti-replay service
D. Confidentiality, data integrity, and data origin authentication
E. Confidentiality, data integrity and authorization.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: AH (Authentication Header) is used to provide data integrity and authentication. It does not provide any form of encryption to the payload of the packet. AH uses a keyed one-way hash function (also called an HMAC) such as MD5 or SHA-1 to guarantee the integrity and origin of the packet. Optionally, it can provide anti-replay protection. ESP (Encapsulating Security Payload) is primarily used to provide payload encryption. With the current revisions of the RFC for ESP, it also includes the ability to provide authentication and integrity. Because ESP can do all the services needed in a secure VPN network (including optional Ahs services), most implementations do not include any AH options. When the IPSec standard was created, its developers took into account the need for increased security. Therefore, IPSec can use different algorithms for payload encryption, such as DES to give you 56-bit encryption or 3DES to give you 168-bit encryption. As the need for stronger payload encryption arises, the standard will allow vendors to implement other algorithms. Reference: Cisco Press – BCRAN – 642-821 – Exam Certification Guide 2004 (ISBN 1-58720-084-8) Page 435 & 436
QUESTION 65
IPSec is being used for the Certkiller VPN. In the IPSec protocol; what are the responsibilities of the Internet Key Exchange (IKE)? (Choose all that apply)
A. Negotiating protocol parameters
B. Integrity checking user hashes
C. Authenticating both sides of a connection
D. Implementing tunnel mode
E. Exchanging public keys
F. Packet encryption
Correct Answer: ACE Section: (none) Explanation Explanation/Reference:
Explanation: Internet Key Exchange (IKE) is used to establish all the information needed for a VPN tunnel. Within IKE, you negotiate your security policies, establish your SAs, and create and exchange your keys that will be used by other algorithms such as DES. IKE is broken down into two phases, described next. Phase One of IKE Phase one is used to negotiate policy sets, authenticate peers, and create a secure channel between peers. IKE phase one can happen in one of two modes, main mode or aggressive mode. The major difference is that in main mode, three different and distinct exchanges take place to add to the security of the tunnel, whereas in aggressive mode everything is sent in a single exchange. Phase Two of IKE IKE phase two is used to negotiate the IPSec security parameters (such as the IPSec transform sets), establish SAs, and optionally perform additional Difie-Hellman exchanges. IKE phase two has only one mode, called quick mode, which happens only after IKE phase one has completed. Reference: Cisco Press – BCRAN – 642-821 – Exam Certification Guide 2004 (ISBN 1-58720-084-8) Page 438 to 439
QUESTION 66
An IPSec datagram is depicted in the following diagram:
In this datagram, what is the name of the header that is marked with a 2? (Hint: It provides data authentication and confidentiality)
A. AH header
B. ESP header
C. SA header
D. MPLS VPN header
E. None of the above
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: IPsec defines a new set of headers to be added to IP datagrams. These new headers are placed after the outer IP header. These new headers provide information for securing the payload of the IP packet as follows: Authentication Header (AH)-This header, when added to an IP datagram, ensures the integrity and authenticity of the data, including the invariant fields in the outer IP header. It does not provide confidentiality protection. AH uses a keyed-hash function rather than digital signatures, because digital signature technology is slow and would greatly reduce network throughput. Encapsulating Security Payload (ESP)-This header, when added to an IP datagram, protects the confidentiality, integrity, and authenticity of the data. If ESP is used to validate data integrity, it does not include the invariant fields in the IP header. Reference: http://www.cisco.com/warp/public/cc/pd/iosw/ prodlit/depip_wp.htm
QUESTION 67
IPSec is being used for the Certkiller VPN. Which of the IPSEC protocols is capable of negotiating security associations?
A. AH
B. ESP
C. IKE
D. SSH
E. MD5
F. None of the above
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
IKE is a key management protocol standard that is used in conjunction with the IPSec standard.
IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility,
and ease of configuration for the IPSec standard.
IKE is a hybrid protocol, which implements the Oakley key exchange and Skeme key exchange inside the
ISAKMP framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.) IKE
automatically negotiates IPSec security associations and enables IPSec secure communications without
manual preconfiguration.
Specifically, IKE provides the following benefits:
*
Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both peers.
*
Allows you to specify a lifetime for the IPSec security association.
*
Allows encryption keys to change during IPSec sessions.
*
Allows IPSec to provide anti-replay services.
*
Permits CA support for a manageable, scalable IPSec implementation.
*
Allows dynamic authentication of peers.
QUESTION 68
IPSec is being used for the Certkiller VPN. Which of the phrases below are true about IPSec IKE Phase 2?
(Choose all that apply)
A. It determines the key distribution method
B. It identifies IPSec peer details
C. It selects manual or IKE-initiated SAs
D. It determines the authentication method
E. It negotiates ISAKMP policies for peers
F. It selects the IPSec algorithms and parameters for optimal security and performance
Correct Answer: CEF Section: (none) Explanation
Explanation/Reference:
Explanation:
IKE Phase 1
The basic purpose of IKE phase 1 is to authenticate the IPSec peers and to set up a secure channel
between the peers to enable IKE exchanges.
IKE phase 1 performs the following functions:
*
Authenticates and protects the identities of the IPSec peers
*
Negotiates a matching IKE SA policy between peers to protect the IKE exchange
*
Performs an authenticated Diffie-Hellman exchange with the end result of having matching shared secret keys
*
Sets up a secure tunnel to negotiate IKE phase 2 parameters IKE Phase 2 The purpose of IKE phase 2 is to negotiate IPSec SAs to set up the IPSec tunnel. IKE phase 2 performs the following functions:
*
Negotiates IPSec SA parameters protected by an existing IKE SA
*
Establishes IPSec security associations
*
Periodically renegotiates IPSec SAs to ensure security
*
Optionally performs an additional Diffie-Hellman exchange
QUESTION 69
IPSec is being used for the Certkiller network between routers CK1 and CK2 . During the ISAKMP negotiation process in IKE Phase 1 mode (where ISAKMP looks for a policy that is the same on both peers) which peer would be responsible for matching the policies?
A. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match with its policy.
B. The remote peer sends all its policies to the initiating peer, and the initiating peer tries to find a match with its policies.
C. Both peers end all their policies to the other peer, and each peer tries to find a match with its policies.
D. Both peers end all their policies to the other peer, but just the initiating peer tries to find a match with its policies.
E. None of the above
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: When the IKE negotiation begins, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation will send all its policies to the remote peer, and the remote peer will try to find a match. The remote peer looks for a match by comparing its own highest priority policy against the other peer’s received policies. The remote peer checks each of its policies in order of its priority (highest priority first) until a match is found. A match is made when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values, and when the remote peer’s policy specifies a lifetime less than or equal to the lifetime in the policy being compared. (If the lifetimes are not identical, the shorter lifetime-from the remote peer’s policy-will be used.) If no acceptable match is found, IKE refuses negotiation and IPSec will not be established.
If a match is found, IKE will complete negotiation, and IPSec security associations will be created.
The Cisco 642-825 training is a vital way of becoming the best.This Cisco 642-825 certification has helped the candidates to enhance their capabilities by providing a great learning platform to them so that they can polish their skills.
Jumpexam 070-463 dumps with PDF + Premium VCE + VCE Simulator: http://www.jumpexam.com/070-463.html