| Question 1 | What type of device can you use to terminate a VPN? (Choose the best answer.) A. Concentrator B. Firewall C. Router D. All of the above
|
| A1: | Answer D is correct; each of the devices can be the termination point for a VPN. Answers A, B, and C are correct but not the most correct; each one individually is not the best answer because you can use all of them to terminate a VPN. |
| Question 2 | What is the number of bits used with a 3DES encryption key? |
| A2: | Answer C is correct; 3DES uses three 56-bit keys for a total of 168 bits. Answer B is single DES, so it is wrong. Answers A and D are the incorrect values. |
| Question 3 | ISAKMP or IKE uses which of the following? A. TCP 500 B. UDP 500 C. IP 500 D. ICMP 500
|
| A3: | Answer B is correct; ISAKMP uses UDP port 500. Answers A, C, and D are incorrect; they have the right value but the wrong protocols. |
| Question 4 | What IP port does ESP use? |
| A4: | Answer A is correct; ESP uses port 50. Answer C is incorrect because it is used by AH. Answers B and D are the wrong IP port numbers. |
| Question 5 | What IP port does AH use? |
| A5: | Answer C is correct; AH uses port 51. Answer B is incorrect because it is used by ESP. Answers A and D are the wrong IP port numbers. |
| Question 7 | Which ISAKMP mode is faster? A. Main mode B. Aggressive mode C. Fast mode D. Ala mode
|
| A6: | Answer B is correct; it is faster than main mode but not as secure. Answer A is incorrect; it is the slower but more secure of the two modes. Answer C is wrong because there is no such mode, and Answer D is incorrect because it's how I like my pie for dessert. |
| Question 8 | Which is the strongest keying algorithm? A. D-H B. DES C. 3DES D. 5DES
|
| A7: | Answer A is correct, but this question is definitely a trick question. D-H uses either 768 or 1024 bits. Answer B is wrong because it uses only 56 bits. Answer C is incorrect because it uses 168 bits, and Answer D is wrong because there is no 5DES. |
| Question 9 | What is the key size for HMAC-SHA-1? A. 56 bits B. 64 bits C. 128 bits D. 160 bits
|
| A8: | Answer D is correct; HMAC-SHA-1 is 160 bit. Answer C, 128, is wrong because it is used by HMAC-MD5. Answers A and B are not the correct bit counts. |
| Question 10 | What are three things that IKE does? A. Specifies the encryption algorithms B. Specifies what traffic to encrypt C. Negotiates ISAKMP SAs D. Defines the lifetime of an SA
|
| A9: | Answers A, C, and D are correct. IKE will specify what encryption algorithm is used, identify the peer, and build an SA, and it can specify the lifetime of the SA. It does not, however, specify the traffic to encrypt you do that with an access list and a crypto map so Answer B is wrong. |
| Question 11 | What command starts the IKE process? A. enable ike B. enable isakmp C. crypto isakmp enable D. crypto ike enable
|
| A10: | Answer C is correct; crypto isakmp enable is all that you need to start IKE or ISAKMP. Remember, they are one and the same. Also it is a global setting not per interface. Answers A, B, and D are all made-up commands and are therefore wrong. |
| Question 12 | What happens if there is a duplicate ISAKMP policy set up on peers? A. That policy will be skipped and different ones chosen. B. The peers will build a tunnel and function normally. C. The peers will build a tunnel, but intermittent errors might occur. D. You will receive a duplicate policy message.
|
| A11: | Answer B is correct; that is the point. We want IKE to negotiate and find matching parameters. Answers A, C, and D are all extremely wrong because there are no issues with matching policies. They are supposed to match. |
| Question 13 | At what point are transform sets negotiated? A. During IKE Phase 1 B. During IKE Phase 2 C. During IPSec Phase 1 D. During IPSec Phase 2
|
| A12: | Answer B is correct; the IPSec parameters for transform sets are negotiated during IKE Phase 2. Answer A is wrong because its job is to build a secure tunnel for Phase 2 to use. Answers C and D are wrong and don't exist. |
| Question 14 | Crypto maps do what three things? A. Specify the traffic to be encrypted B. Specify how peers will be authenticated C. Specify the local address used for IPSec traffic D. Specify the destination of protected IPSec traffic
|
| A13: | Answers A, C, and D are all correct. A crypto map will specify the traffic to be encrypted and the source and destination addresses of the tunnel. Answer B, how peers authenticate, is covered by IKE, so it is incorrect. |
| Question 15 | What two commands allow you to view information about the transform sets? |
| A14: | Answers B and C are correct; show crypto ipsec transform-set shows the defined transform sets and show crypto map lets you see the transform set associated with a crypto map. Answer A is incorrect because it shows ISAKMP policies, and Answer D is wrong because there is no such command. |
| Question 16 | Which two debug commands do you use to troubleshoot your VPNs? |
| A15: | Answers A and D are correct; they both give you an excessive amount of data that you can use to solve VPN problems. Answers B and C are incorrect because those commands do not exist. |
