| 1 |
Assuming that you are using IKE preshared key authentication, and that a unique preshared key is used between each pair of gateways, how many unique preshared keys are required for an IPsec VPN consisting of 10 gateways? How many (end-entity) certificates are required if IKE RSA digital signature authentication is used instead? |
| Answer: |
45 unique preshared keys are required for an IPsec VPN consisting of 10 gateways. For the same number of gateways, 10 (end-entity) certificates are required. |
| 2 |
What are two common ways to reduce the amount of configuration on gateways in an IPsec VPN? |
| Answer: |
TED and DMVPN. Wildcard preshared keys can also, to an extent, reduce the amount of configuration, although their use is not generally recommended. |
| 3 |
What protocol does DMVPN rely on to provide direct spoke site-to-spoke site connectivity? |
| Answer: |
The Next Hop Resolution Protocol (NHRP). |
| 4 |
What type of certificate is used for RSA digital signature authentication with IPsec? |
| Answer: |
The X.509 certificate is used. |
| 5 |
What are two methods that a Cisco IOS router can use to check the revocation status of a certificate? |
| Answer: |
It can check the revocation status using a Certificate Revocation List (CRL) or it can use the Online Certificate Status Protocol (OCSP) to query an OCSP responder. |
| 6 |
What are the three main ways to configure high availability in an (IOS) IPsec VPN? |
| Answer: |
The three main ways to configure high availability are to configure multiple IPsec peers (within a crypto) with IKE keepalives, use HSRP, or to use redundant GRE tunnels. |
| 7 |
Why is fragmentation of IPsec packets undesirable? |
| Answer: |
It may cause IPsec packets to be dropped, and it will cause packet reassembly on a receiving IPsec gateway (which in turn causes high processor and memory overhead). |
| 8 |
What ToS/DS value does an IPsec VPN gateway include in the outer header of an IPsec packet by default? |
| Answer: |
In transport mode, the ToS/DS value is preserved from the original user packet. In tunnel mode, the ToS/DS value is copied from the encapsulated user packet. |
| 9 |
Why might packets associated with the same IPsec SA be dropped if they are subject to different QoS treatment in an intervening network between IPsec VPN gateways? |
| Answer: |
Packets might be dropped if QoS packet scheduling causes packet re-ordering, and this in turn causes some packets to fall outside (to the "left" of) the anti-replay window on the receiving IPsec VPN gateway. |
| 10 |
What are some common ways to prevent fragmentation of IPsec packets? |
| Answer: |
Ensuring that end hosts send small user packets, fixing PMTUD, and using prefragmentation. |