| Question 1 | When using IPSec, AH and ESP can be used at the same time. |
| A1: | Answer A is correct. IPSec can be implemented with AH, ESP, or both AH and ESP enabled at the same time. Using both AH and ESP provides data confidentiality and header integrity. Therefore, answer B is incorrect. |
| Question 2 | How many transformations can you have in a transform set? |
| A2: | Answer C is correct. The transform-set command enables you to create a named set of transforms. The command supports up to three transforms: one AH, one ESP for authentication, and one for ESP data confidentiality. Therefore, answers A, B, and D are incorrect. |
| Question 3 | Which command enables you to give VPN clients addresses? -
A. ip dhcp pool -
B. access-list -
C. ip local pool -
D. vpdn group pool |
| A3: | Answer C is correct. The ip local pool command enables you to create a pool of addresses for VPN remote access clients. The vpdn group command can reference the IP local pool to issue IP addresses for connecting VPN clients. Answer A is an invalid command and is therefore incorrect. Answer B is used to create access lists but these are not used to hand out client addresses, so it is incorrect. The command in answer D, vpdn group pool , does not exist and is therefore incorrect. |
| Question 4 | What is the hybrid protocol used to exchange keys? -
A. IPSec -
B. IKE -
C. AH -
D. DES |
| A4: | Answer B is correct. IKE stands for the Internet Key Exchange protocol. This hybrid protocol contains several other protocols that are used to create and establish a secure connection before passing IPSec parameters. Answer A is incorrect because IPSec is created after the key exchanges take place by IKE. Answer C is incorrect because AH is a method involving authentication headers that IPSec uses to guarantee data integrity. Answer D is incorrect because DES is an encryption algorithm and doesn't exchange keys. |
| Question 5 | Which command enables you to use AH in an IPSec connection? -
A. crypto map -
B. train-set -
C. integrity-set -
D. transform-set |
| A5: | Answer D is correct. The transform-set command enables you to select up to a maximum of three transforms, one of which can be AH. This is later referenced inside a crypto map command. Answer A is incorrect because, although crypto map enables you to select a possible transform set that contains an AH setting, the transform-set command is the actual command used to specify AH. Answers B and C are invalid commands and are therefore incorrect. |
| Question 6 | To which interfaces should the crypto map command be applied? -
A. Only the inside interface -
B. Every interface -
C. Only the outside interface -
D. Only to interfaces that have IPSec packets traversing them |
| A6: | Answer D is correct. The crypto map command should be applied to only the interfaces that IPSec packets will traverse. Answer A is incorrect because crypto map can be applied to more than just the inside interface. Answer B is incorrect because you should apply crypto map only to interfaces that have IPSec traveling across them. Answer C is incorrect because you need crypto maps on all interfaces that IPSec packets will traverse, not just the outside interface. |
| Question 7 | What does data authentication do? (Select two.) |
| A7: | Answers A and D are correct. Data authentication is the ability to support data origin authentication and data integrity. This gives you the ability to authenticate the source of the IPSec packet. It does not, however, provide data confidentiality, which involves the encryption of user data. Therefore, answer B is incorrect. Answer C is incorrect because it does not provide data replay functionality. |
| Question 8 | Which security association lifetime timeout is used if two IPSec peers have different values? -
A. The lowest one is used. -
B. The difference between them is used. -
C. The highest one is used. -
D. The connection fails. |
| A8: | Answer A is correct. When two peers negotiate the security association lifetime value, the lowest value between the clients is used. Answers B and C are incorrect because the lowest value is used. Answer D is incorrect because the connection does not fail; the lowest value is used. |
| Question 9 | To delete all IPSec security associations, which command could you use? |
| A9: | Answer D is correct. The clear ipsec sa command is used to delete or clear all current security associations. Answers A, B, and C are all invalid commands. |
| Question 10 | When two IPSec peers connect, which transform set is selected if multiple sets are found? -
A. The most secure one -
B. The last one -
C. The least secure one -
D. The first one |
| A10: | Answer D is correct. When multiple transform sets are configured, the first matching transform set is used. The crypto map is used to create the order. Therefore, answers A, B, and C are incorrect. |
| Question 11 | In what way can security associations be established? (Select two.) -
A. IKE -
B. IPSec -
C. Manual -
D. Static |
| A11: | Answers A and C are correct. Security associations between two peers can be established dynamically using IKE or manually. Answer B is incorrect because IPSec does not actually create the SA; IKE does. Answer D is incorrect because static might be considered valid, but manual is more correct. |
| Question 12 | What does IKE provide? (Select three.) |
| A12: | Answers A, B, and D are correct. IKE provides a secure connection to exchange keys, authentication, and security associations between two peers. IKE has two main modes ”main and aggressive ”that are used to help exchange keys. Answer C is incorrect because IKE establishes an SA, whereas IPSec and ESP encrypt user data. |
| Question 13 | What does IPSec AH provide? (Select two.) |
| A13: | Answers A and C are correct. Authentication headers provide anti-replay protection and data authentication. Answer B is incorrect because user data is encrypted only when ESP is used. Answer D is incorrect because AH does not provide IKE; IKE authenticates peers and helps create an SA so IPSec AHs can be created. |
| Question 14 | IPSec provides security at which OSI layer? |
| A14: | Answer C is correct. IPSec provides protection at layer 3. If AH is used, all data from layer 3 and above is protected. If ESP is used, all information above layer 3 is encrypted. Answer A is incorrect because layer 1 is the physical layer and the data has already been encrypted by this point. Answer B in incorrect because the data has already been encrypted by this time. Answer D is incorrect because layer 7 is the Application layer and IPSec does not work at this level. |
