1

Assuming that you are using IKE preshared key authentication, and that a unique preshared key is used between each pair of gateways, how many unique preshared keys are required for an IPsec VPN consisting of 10 gateways? How many (end-entity) certificates are required if IKE RSA digital signature authentication is used instead?

Answer:

45 unique preshared keys are required for an IPsec VPN consisting of 10 gateways. For the same number of gateways, 10 (end-entity) certificates are required.

2

What are two common ways to reduce the amount of configuration on gateways in an IPsec VPN?

Answer:

TED and DMVPN. Wildcard preshared keys can also, to an extent, reduce the amount of configuration, although their use is not generally recommended.

3

What protocol does DMVPN rely on to provide direct spoke site-to-spoke site connectivity?

Answer:

The Next Hop Resolution Protocol (NHRP).

4

What type of certificate is used for RSA digital signature authentication with IPsec?

Answer:

The X.509 certificate is used.

5

What are two methods that a Cisco IOS router can use to check the revocation status of a certificate?

Answer:

It can check the revocation status using a Certificate Revocation List (CRL) or it can use the Online Certificate Status Protocol (OCSP) to query an OCSP responder.

6

What are the three main ways to configure high availability in an (IOS) IPsec VPN?

Answer:

The three main ways to configure high availability are to configure multiple IPsec peers (within a crypto) with IKE keepalives, use HSRP, or to use redundant GRE tunnels.

7

Why is fragmentation of IPsec packets undesirable?

Answer:

It may cause IPsec packets to be dropped, and it will cause packet reassembly on a receiving IPsec gateway (which in turn causes high processor and memory overhead).

8

What ToS/DS value does an IPsec VPN gateway include in the outer header of an IPsec packet by default?

Answer:

In transport mode, the ToS/DS value is preserved from the original user packet. In tunnel mode, the ToS/DS value is copied from the encapsulated user packet.

9

Why might packets associated with the same IPsec SA be dropped if they are subject to different QoS treatment in an intervening network between IPsec VPN gateways?

   
Answer:

Packets might be dropped if QoS packet scheduling causes packet re-ordering, and this in turn causes some packets to fall outside (to the "left" of) the anti-replay window on the receiving IPsec VPN gateway.

10

What are some common ways to prevent fragmentation of IPsec packets?

Answer:

Ensuring that end hosts send small user packets, fixing PMTUD, and using prefragmentation.


Part I: Understanding VPN Technology

What Is a Virtual Private Network?

Part II: Site-to-Site VPNs

Designing and Deploying L2TPv3-Based Layer 2 VPNs

Designing and Implementing AToM-Based Layer 2 VPNs

Designing MPLS Layer 3 Site-to-Site VPNs

Advanced MPLS Layer 3 VPN Deployment Considerations

Deploying Site-to-Site IPsec VPNs

Scaling and Optimizing IPsec VPNs

Part III: Remote Access VPNs

Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs

Designing and Deploying IPsec Remote Access and Teleworker VPNs

Designing and Building SSL Remote Access VPNs (WebVPN)

Part IV: Appendixes

Designing and Building SSL Remote Access VPNs (WebVPN)

Appendix B. Answers to Review Questions



Comparing, Designing, and Deploying VPHs
Comparing, Designing, and Deploying VPNs
ISBN: 1587051796
EAN: 2147483647
Year: 2007
Pages: 124
Authors: Mark Lewis

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net