Chapter 19


1:

Name the major VPN types of Cisco Enterprise VPN solutions.

A1:

The major Cisco Enterprise VPN solutions are Cisco remote access VPN , Cisco site-to-site VPN , and extranet VPN solutions.

2:

What ports need to be open in the corporate firewall to ensure PPTP functionality?

A2:

TCP port 1723 and the GRE protocol ID 47.

3:

What is the purpose of control messages in the L2TP protocol?

A3:

Control messages are used in the establishment, maintenance, and clearing of tunnels and calls.

4:

Define voluntary mode and compulsory mode in PPTP-based VPN.

A4:

When a remote user starts the tunnel, it is called voluntary mode. When the initiation of the tunnel is done by the NAS , it is often referred to as compulsory mode.

5:

What is the minimum set of negotiable attributes in IKE SA?

A5:

The minimum set of negotiable attributes are the encryption algorithm, hash algorithm, authentication method, and information about a group over which to perform the Diffie-Hellman key exchange.

6:

What does SPI stand for in IPSec?

A6:

SPI stands for security parameter index and is a 32-bit number assigned to the initiator of the SA request by the receiving IPSec endpoint.

7:

What are the valid authenticating methods in IPSec?

A7:

The valid authenticating methods in IPSec are preshared key, digital signature standard (DSS) signatures, RSA signatures, encryption with RSA , and revised encryption with RSA .

8:

What is the main difference between main mode and aggressive mode?

A8:

Aggressive mode is used when identity protection is not needed.

9:

What is the main difference between transport mode and tunnel mode in IPSec?

A9:

In transport mode, only the IP payload is encrypted and the original IP headers are left intact. In tunnel mode, the entire original IP datagram is encrypted and it becomes the payload in a new IP packet.

10:

Define the unidirectional and bidirectional security associations (SA). What kind of SA is an IKE SA? An IPSec SA?

A10:

Unidirectional means that, for two-way communication between devices, there must be at least two SAsone in each direction. The term bidirectional means that, once established, either party can initiate Quick Mode, Informational, and New Group Mode exchanges. IPSec SA is unidirectional; IKE SA is bidirectional.

11:

What is ICV and how is it calculated?

A11:

ICV stands for Integrity Check Value ( ICV ). The computation of ICV is over IP header fields that are either immutable in transit or that are predictable in value upon arrival at the endpoint for the SA.

12:

Which ports have to open in the company's firewall to ensure ISAKMP, ESP, and AH operation?

A12:

ISAKMP : UDP port 500; ESP : protocol 50; AH : protocol 51.

13:

What is the advantage of XAUTH among other authentication methods? What is type 1 authentication in XAUTH?

A13:

XAUTH is designed in a way to provide a method to leverage legacy authentication methods that are widely deployed today with existing and future authentication mechanisms. Type 1 authentication in XAUTH is RADIUS-CHAP.

14:

What is the size of the prime in DH Group 5?

A14:

1536 bits (600h).

15:

What does PFS stand for? Explain PFS.

A15:

PFS stands for perfect forward secrecy (PFS). In PFS, a shared secret encryption key can be calculated that has no relationship to the preceding key.




Troubleshooting Remote Access Networks CCIE Professional Development
Troubleshooting Remote Access Networks (CCIE Professional Development)
ISBN: 1587050765
EAN: 2147483647
Year: 2002
Pages: 235

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net