Term
Briefly describe the 5 generic steps involved in creating a site-to-site IPsec VPN. |
|
Definition
1. Specify interesting traffic 2. IKE phase 1 3. IKE phase 2 4. Secure data transfer 5. IPsec tunnel termination |
|
|
Term
How is interesting traffic indentified when using an IPsec VPN? |
|
Definition
An extended access list (ACL) is used to specify interesting traffic. |
|
|
Term
How are Internet Key Exchange (IKE) transform sets used during the establishment of IPsec VPNs? |
|
Definition
IKE transform sets are different combinations of security parameters that are grouped together. These are used anytime 2 IPsec endpoints negotiate security parameters. |
|
|
Term
What are the 5 parameters that must be coordinated during Internet Key Exchange (IKE) phase 1? |
|
Definition
- IKE encryption algorithm (DES, 3DES, or AES) - IKE authentication algorithm (MD5 or SHA-1) - IKE key (preshare, RSA signatures, nonces) - Diffie-Hellman version (1,2, or 5) - IKE tunnel lifetime (time and/or byte count) |
|
|
Term
What are the three different methods that Internet Key Exchange (IKE) can do peer authentication during phase 1? |
|
Definition
- Preshared keys - manually entered into each peer. - RSA signatures - use digital certifacates issues by a certificate authority (CA) to authenticate peers. - RSA-encrypted nonces - random number generated by each peer, encrypted, and sent to each other. These are only use once. |
|
|
Term
What are the functions that are performed during the Internet Key Exchange (IKE) phase 2? |
|
Definition
- Negotiation of IPsec security parameters via IPsec transform sets. - Establishment of IPsec SAs (unidirectional IPsec tunnels) - Periodic renegotiation of IPsec SAs to ensure security - An additional Diffie-Hellman exchange (optional) |
|
|
Term
What are the 5 parameters that must be coordinated duing quick mode between IPsec peers? |
|
Definition
- IPsec protocol (ESP or AH) - IPsec encryption type (DES, 3DES, or AES) - IPsec authentication (MD5 or SHA-1) - IPsec mode (tunnel or transport) - IPsec SA lifetime (seconds or kilobytes) |
|
|
Term
Describe the security associations (SAs) that are created during the Internet Key Exchange (IKE) phase 2 process. |
|
Definition
A security association (SA) is a group of security services (parameters) agreed upon between 2 IPsec peers. Each IPsec SA is a one-way connection between the 2 IPsec peers, thus, a complete IPsec connection consists of 2 IPsec SAs-one incoming and one outgoing. |
|
|
Term
How does an IPsec connection work around the fact that it needs to know the SA used in every IPsec packet? |
|
Definition
Each SA is referenced by a Security Parameter Index (SPI). The SPI travels with each IPsec packet and is used to reference and confirm the security parameters upon arrival at the far end. The use of the SPI eliminates the need to send the security parameters with each IPsec packet. |
|
|
Term
How does each IPsec client keep track of each of the security associates (SAs) that the client participates in? |
|
Definition
Each IPsec client used an SA database (SAD) to track each of the SAs that the client participates in. |
|
|
Term
How does an IPsec client store the security parameters that were agreed upon for each security association (SA) (in the transform sets)? |
|
Definition
The Security Policy Database (SPD) contains the security parameters that were agreed upon for each SA in the transform sets. |
|
|
Term
What command displays all active IKE sessions (All IKE phase 1 tunnels)? |
|
Definition
|
|
Term
What command displays all the IPsec SAs (the result of successful IKE phase2)? |
|
Definition
|
|
Term
What command is used to debug the entire IKE process? |
|
Definition
|
|
Term
What command displays error messages for IKE-related operations? |
|
Definition
debug crypto isakmp error
|
|
|
Term
What command displays error messages for IPsec-related operations? |
|
Definition
|
|
Term
What command is used to create or modify an IKE policy? |
|
Definition
crypto isakmp policy priority |
|
|
Term
What command specifies the encryption algorithm within an IKE policy? |
|
Definition
encryption {des | 3des | aes | aes-192 | aes-256} |
|
|
Term
What command specifies the hash algorithm within an IKE policy? |
|
Definition
|
|
Term
What command specifies the authentication method within an IKE policy? |
|
Definition
authentication {rsa-sig | rsa-enct | pre-shared} |
|
|
Term
What command specifies the Diffie-Hellman group identifier within an IKE policy? |
|
Definition
|
|
Term
What command specifies the lifetime of an IKE security association (SA)? |
|
Definition
|
|
Term
What command configures a preshared authentication key? |
|
Definition
crypto isakmp key keystring address peer-address |
|
|
Term
What command defines a transform set—an acceptable combination of security protocols and algorithms? |
|
Definition
crypto ipsec transform-set set-name transform1, transform2, etc |
|
|
Term
What command specifies the mode for a transform set? |
|
Definition
mode [tunnel | transport] |
|
|
Term
What command is used to change global lifetime values used when negotiating IPSec security associations? |
|
Definition
crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes} |
|
|
Term
What command is used to create or modify a crypto map entry and enter the crypto map configuration mode? |
|
Definition
crypto map map-name seq-number {ipsec-manual | ipsec-isakmp} [dynamic dyn-map-name] |
|
|
Term
What command specifies an IPSec peer in a crypto map entry? |
|
Definition
set peer {hostname | ip-address} |
|
|
Term
What command specifies which transform sets can be used with the crypto map entry? |
|
Definition
set transform-set transform-set-name |
|
|
Term
What command displays IPsec events? |
|
Definition
|
|
Term
What command displays messages about IKE events? |
|
Definition
|
|