The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

1. Using a client software package for connecting to corporate resources over a secure VPN in known as what?

Access VPN Remote-access VPN Dialup VPN

d. Network resource VPN

e. None of the above

2. What is not a step required to create an IPsec VPN tunnel?

a. User initiates network access.

b. Endpoint devices authenticate each other via IKE.c.

c. IPsec SA between the peers is established.

d. User credential information is validated on the devices.

e. All of the above.

3. Which of the following are components of defining the IKE (Phase 1) policy?

a. Select a key distribution method.

b. Select an authentication method.

c. Identify the ISAKMP peer.

d. Select the ISAKMP polices.

e. Select the IKE SA settings.

f. All of the above.

4. What is not an ISAKMP policy for connection within the Cisco IOS Firewall feature set?

a. Message encryption algorithm b. DES

c. Diffie-Hellman d. Triple DES

f. All of the above

5. All of the following are features of ESP except for what?

a. Provides origin authentication b. Implements data integrity c. Provides antireplay protection d. Encrypts only the payload e. Support tunnel and transport mode f. All of the above

6. What valid IPsec transforms can be used in an IPsec tunnel configuration? (Select four.)

a. esp-md5-hmac b. ah-sha-hmac c. esp-aes (aes 128,192,256)

f. esp-sha-hmac

7. What command is missing from the creation of this IKE policy on the router?

a. router(config-isakmp)#authentication pre-share b. router(config-isakmp)#encryption aes 256

c. router(config-isakmp)#group 5

d. router(config-isakmp)#lifetime 86400

g. #pre-share key test123

h. #hashtype md5

j. None of the above 8. Which of the following is not a feature of the crypto map?

a. Identify what traffic is to be encrypted b. Where data should be sent (SA peer)

c. What security should be applied to the traffic d. How granular the logging of traffic should be e. How the IPsec SA should be established f. All of the above

9. When you manually configure the IPsec connection from the crypto map configuration, it removes this functionality.

a. Ability to use preshared secrets.

b. Multipoint tunnels.

c. Strong authentication and encryption support.

d. Peers can renegotiate and constantly change connection parameters.

e. Tracking and monitoring.

f. You cannot manually configure the IPsec connection.

10. What are the drawbacks of using RSA nonces for an IPsec connection? (Select two.)

a. Initial key exchange b. Limited logging c. Difficult management d. Special privilege requirements e. Additional firmware f. All of the above

The answers to the "Do I Know This Already?" quiz are found in the appendix. The suggested choices for your next step are as follows:

• 8 or less overall score Read the entire chapter. This includes the "Foundation Topics" and "Foundation Summary" sections and the "Q&A" section.

• 9 or 10 overall score If you want more review on these topics, skip to the "Foundation Summary" section and then go to the "Q&A" section. Otherwise, move on to Chapter 20, "Scaling a VPN Using IPsec with a Certificate Authority".



0 0

Post a comment