Term
| Briefly describe the 5 generic steps involved in creating a site-to-site IPsec VPN. |
|
Definition
1. Specify interesting traffic 2. IKE phase 1 3. IKE phase 2 4. Secure data transfer 5. IPsec tunnel termination |
|
|
Term
| How is interesting traffic indentified when using an IPsec VPN? |
|
Definition
| An extended access list (ACL) is used to specify interesting traffic. |
|
|
Term
| How are Internet Key Exchange (IKE) transform sets used during the establishment of IPsec VPNs? |
|
Definition
| IKE transform sets are different combinations of security parameters that are grouped together. These are used anytime 2 IPsec endpoints negotiate security parameters. |
|
|
Term
| What are the 5 parameters that must be coordinated during Internet Key Exchange (IKE) phase 1? |
|
Definition
- IKE encryption algorithm (DES, 3DES, or AES) - IKE authentication algorithm (MD5 or SHA-1) - IKE key (preshare, RSA signatures, nonces) - Diffie-Hellman version (1,2, or 5) - IKE tunnel lifetime (time and/or byte count) |
|
|
Term
| What are the three different methods that Internet Key Exchange (IKE) can do peer authentication during phase 1? |
|
Definition
- Preshared keys - manually entered into each peer. - RSA signatures - use digital certifacates issues by a certificate authority (CA) to authenticate peers. - RSA-encrypted nonces - random number generated by each peer, encrypted, and sent to each other. These are only use once. |
|
|
Term
| What are the functions that are performed during the Internet Key Exchange (IKE) phase 2? |
|
Definition
- Negotiation of IPsec security parameters via IPsec transform sets. - Establishment of IPsec SAs (unidirectional IPsec tunnels) - Periodic renegotiation of IPsec SAs to ensure security - An additional Diffie-Hellman exchange (optional) |
|
|
Term
| What are the 5 parameters that must be coordinated duing quick mode between IPsec peers? |
|
Definition
- IPsec protocol (ESP or AH) - IPsec encryption type (DES, 3DES, or AES) - IPsec authentication (MD5 or SHA-1) - IPsec mode (tunnel or transport) - IPsec SA lifetime (seconds or kilobytes) |
|
|
Term
| Describe the security associations (SAs) that are created during the Internet Key Exchange (IKE) phase 2 process. |
|
Definition
| A security association (SA) is a group of security services (parameters) agreed upon between 2 IPsec peers. Each IPsec SA is a one-way connection between the 2 IPsec peers, thus, a complete IPsec connection consists of 2 IPsec SAs-one incoming and one outgoing. |
|
|
Term
| How does an IPsec connection work around the fact that it needs to know the SA used in every IPsec packet? |
|
Definition
| Each SA is referenced by a Security Parameter Index (SPI). The SPI travels with each IPsec packet and is used to reference and confirm the security parameters upon arrival at the far end. The use of the SPI eliminates the need to send the security parameters with each IPsec packet. |
|
|
Term
| How does each IPsec client keep track of each of the security associates (SAs) that the client participates in? |
|
Definition
| Each IPsec client used an SA database (SAD) to track each of the SAs that the client participates in. |
|
|
Term
| How does an IPsec client store the security parameters that were agreed upon for each security association (SA) (in the transform sets)? |
|
Definition
| The Security Policy Database (SPD) contains the security parameters that were agreed upon for each SA in the transform sets. |
|
|
Term
| What command displays all active IKE sessions (All IKE phase 1 tunnels)? |
|
Definition
|
|
Term
| What command displays all the IPsec SAs (the result of successful IKE phase2)? |
|
Definition
|
|
Term
| What command is used to debug the entire IKE process? |
|
Definition
|
|
Term
| What command displays error messages for IKE-related operations? |
|
Definition
debug crypto isakmp error
|
|
|
Term
| What command displays error messages for IPsec-related operations? |
|
Definition
|
|
Term
| What command is used to create or modify an IKE policy? |
|
Definition
| crypto isakmp policy priority |
|
|
Term
| What command specifies the encryption algorithm within an IKE policy? |
|
Definition
| encryption {des | 3des | aes | aes-192 | aes-256} |
|
|
Term
| What command specifies the hash algorithm within an IKE policy? |
|
Definition
|
|
Term
| What command specifies the authentication method within an IKE policy? |
|
Definition
| authentication {rsa-sig | rsa-enct | pre-shared} |
|
|
Term
| What command specifies the Diffie-Hellman group identifier within an IKE policy? |
|
Definition
|
|
Term
| What command specifies the lifetime of an IKE security association (SA)? |
|
Definition
|
|
Term
| What command configures a preshared authentication key? |
|
Definition
| crypto isakmp key keystring address peer-address |
|
|
Term
| What command defines a transform set—an acceptable combination of security protocols and algorithms? |
|
Definition
| crypto ipsec transform-set set-name transform1, transform2, etc |
|
|
Term
| What command specifies the mode for a transform set? |
|
Definition
| mode [tunnel | transport] |
|
|
Term
| What command is used to change global lifetime values used when negotiating IPSec security associations? |
|
Definition
| crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes} |
|
|
Term
| What command is used to create or modify a crypto map entry and enter the crypto map configuration mode? |
|
Definition
| crypto map map-name seq-number {ipsec-manual | ipsec-isakmp} [dynamic dyn-map-name] |
|
|
Term
| What command specifies an IPSec peer in a crypto map entry? |
|
Definition
| set peer {hostname | ip-address} |
|
|
Term
| What command specifies which transform sets can be used with the crypto map entry? |
|
Definition
| set transform-set transform-set-name |
|
|
Term
| What command displays IPsec events? |
|
Definition
|
|
Term
| What command displays messages about IKE events? |
|
Definition
|
|
