1 |
What are some of the main benefits and drawbacks of IPsec remote access VPNs? |
Answer: |
IPsec can provide strong security for VPN traffic; IPsec extensions that provide additional functionality for remote access VPNs such as Xauth and Mode Config are not industry standards and are not implemented on all operating systems; the Cisco VPN Client must be installed on each client workstation; IPsec remote access VPNs offer a level of functionality similar to that users would experience if they were at their office or central site; the Cisco VPN Client includes features such as enforcement of firewall type, antivirus software type and level, and operating system service pack level on certain client workstation operating systems. |
2 |
What are the two main types of issue with regard to IKEv1 an IPsec remote access VPN environment? |
Answer: |
Issues relating to user authentication and issues relating to negotiation of parameters including IP addresses and DNS/WINS server addresses. |
3 |
What are the three main methods by which a VPN gateway can authenticate remote access VPN users when using IKEv1? |
Answer: |
Xauth, Hybrid Authentication, and CRACK. |
4 |
What sort of functionality can Mode Config provide? |
Answer: |
Assignment of configuration attributes such as IP addresses and DNS/WINS server addresses. |
5 |
What information does the debug crypto isakmp sa command display? |
Answer: |
It shows detailed information relating to IKE negotiation. |
6 |
What methods do the VPN 3000 concentrator and Cisco ASA 5500 provide to overcome issues with NAT/PAT and IPsec remote access VPNs? |
Answer: |
NAT transparency using TCP on an administrator-defined port; NAT transparency using UDP on an administrator-defined port; NAT transparency using IETF standard NAT Traversal (NAT-T, UDP port 4500). |
7 |
When a hardware client (Cisco IOS router) is configured for EZVPN, how does a remote access user authenticate him/herself? |
Answer: |
The router prompts the user for an Xauth username and password at the command line during IKE negotiation. |
8 |
What are the three basic ways to configure high availability for IPsec remote access VPNs? |
Answer: |
Load balancing of IPsec remote access VPN connections over two or more VPN gateways at the same site; failover between VPN gateways at the same site using VRRP; the configuration of geographically dispersed backup VPN gateways. |
9 |
To allow IPsec remote access VPN connections through a firewall, which ports may have to be opened on the firewall? |
Answer: |
UDP port 500 (ISAKMP), IP protocol 50 (ESP), IP protocol 51 (AH), administrator-defined UDP or TCP ports used for NAT transparency, UDP port 4500 (NAT-T). |
10 |
What file can be modified to provide auto-initiation of Cisco VPN Client connections with wireless VPNs? |
Answer: |
The Cisco VPN Client can be configured to auto-initiate a VPN connection to a VPN gateway by modifying the vpnclient.ini file. |
Part I: Understanding VPN Technology
What Is a Virtual Private Network?
Part II: Site-to-Site VPNs
Designing and Deploying L2TPv3-Based Layer 2 VPNs
Designing and Implementing AToM-Based Layer 2 VPNs
Designing MPLS Layer 3 Site-to-Site VPNs
Advanced MPLS Layer 3 VPN Deployment Considerations
Deploying Site-to-Site IPsec VPNs
Scaling and Optimizing IPsec VPNs
Part III: Remote Access VPNs
Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs
Designing and Deploying IPsec Remote Access and Teleworker VPNs
Designing and Building SSL Remote Access VPNs (WebVPN)
Part IV: Appendixes
Designing and Building SSL Remote Access VPNs (WebVPN)
Appendix B. Answers to Review Questions