Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf
508 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Sections
23How do you start the Cisco VPN Client installation process?
You start the Cisco VPN Client installation process by inserting the CD-ROM into the PC and allowing Autorun to bring up the CD’s menu. Select Install Cisco VPN Client from the menu.
24What variables can you supply during the installation process of the Cisco VPN Client?
The only options, other than when to reboot the system, are to select the location in which to store files and the location in which to place the application.
Chapter 4—Q&A
1Where would you normally use unique preshared keys?
You would normally use unique preshared keys in site-to-site VPNs.
2To use a web browser to access the VPN Manager application on VPN concentrators, what features must you enable on the browser?
You must enable both JavaScript and cookies on the browser to access the VPN Manager.
3What information is required to configure a LAN interface on the VPN concentrator?
You must supply the IP address, subnet mask, speed, and duplex mode to configure a VPN concentrator LAN interface.
4What is the default administrator name and password for the GUI VPN Manager?
The administrator name and password are the same for the CLI and the GUI systems: admin/admin.
5What options are available for addressing an IP interface on the IP Interfaces screen?
The IP Interfaces screen gives you the option to disable the interface, obtain an address from DHCP, or assign a static IP address.
6What is the maximum number of combined groups and users that can be supported on a VPN 3015 Concentrator?
The 3015 Concentrator can support a maximum of 100 combined groups and users.
7What are the four subcategories under the Configuration option of the VPN Manager’s TOC?
The four subcategories under the Configuration option are Interfaces, System, User Management, and Policy Management.
Chapter 4— Q&A 509
8On the General tab of a group’s Add screen, what options can you select for Access Hours?
On the General tab of the Group Add screen, you can select No Restrictions, Never, or Business Hours as the access hours for the system.
9What IPSec protocols are available from the default IPSec SA settings on the IPSec tab of the Group Add screen?
The only IPSec protocol available by default on the IPSec tab of the Group Add screen is the ESP Protocol. Authentication Header (AH) is not an option. ESP provides encryption and authentication, whereas AH provides only authentication.
10What are the nine subcategories under the Configuration | System option in the VPN Manager’s table of contents?
The Configuration | System subcategories are Servers, Address Management, Tunneling Protocols, IP Routing, Management Protocols, Events, General, Client Update, and Load Balancing Cisco VPN Clients.
11Where does the VPN concentrator store system events?
The VPN concentrator stores system events in nonvolatile memory.
12What areas can be configured under the Traffic Management section of the Configuration | Policy Management section?
Under the Configuration | Policy Management | Traffic Management section of the VPN Manager, you can configure Network Lists, Rules, SAs, Filters, and NAT.
13Where do you enter the preshared key so that a VPN Client can connect to a VPN concentrator?
During the creation of a connection in the VPN Client, you are presented with a screen that allows you to enter Group Access Information. Enter the group name and the group’s password in that screen. The group’s password is the preshared key.
14What are the three types of preshared keys?
Preshared keys can be unique, group, or wildcard.
15What types of interfaces are the Public and Private VPN interfaces?
On the VPN concentrators, the Public and Private interfaces are each 10/100-Mbps Ethernet interfaces.
16Which interface do you need to configure using the browser-based VPN Manager?
You need to configure the Public interface with the VPN Manager. If you have other interfaces, you need to configure those as well. The Private interface was configured using the CLI portion of Quick Configuration.
Chapter 4— Q&A 511
25What protocol does the VPN concentrator use to update software versions on Cisco VPN 3002 Hardware Clients?
The VPN concentrator uses TFTP to update the operating system of VPN 3002 Hardware Clients.
26How do you start the Cisco VPN Client installation process?
You start the Cisco VPN Client installation process by inserting the CD-ROM into the PC and allowing Autorun to bring up the CD’s menu. Select Install Cisco VPN Client from the menu.
27What methods can you use for user authentication on the Cisco VPN 3000 Series Concentrators?
You can configure the VPN concentrators to use RADIUS, NT Domain, SDI, and internal user authentication.
28What is a group preshared key?
A group preshared key is one that is associated with a specific user group.
29When you boot up a Cisco VPN 3000 Concentrator with the default factory configuration, what happens?
The default factory configuration causes the VPN concentrator to boot up into Quick Configuration mode.
30If you supply an address of 144.50.30.24 and want to use a 24-bit subnet mask for the Private interface on a VPN concentrator, are you able to accept the default subnet mask offered by the VPN Manager?
The VPN Manager offers the default subnet mask for the class of address you assign. Because this is a Class B address and the default mask for that class is 16 bits, you would not be able to accept the mask offered by the VPN Manager.
31What are the three major sections of the VPN Manager system?
The three major sections of the VPN Manager system are Configuration, Administration, and Monitoring.
32The Quick Configuration system has displayed the System Info screen. What information, other than system date and time, can you enter on this screen?
Other than system date and time, the System Info screen allows you to enter a system name, DNS server, domain name, and default gateway.
33What is the maximum number of combined groups and users that can be supported on a VPN 3060 Concentrator?
The 3060 Concentrator can support a maximum of 1000 combined groups and users.
512 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Sections
34From where do users inherit attributes on the VPN concentrator?
VPN concentrator users inherit their attributes from their groups. If a user is not a member of a group, the user inherits attributes from the Base Group.
35What is the default number of simultaneous logins available to group members?
Group members are allowed three simultaneous logins by default.
36What is the purpose of IKE keepalives?
IKE keepalives keep tabs on peers. If a peer does not respond to IKE keepalives, then the VPN concentrator drops the connection. This helps to prevent hung connections.
37Where would you configure information for NTP and DHCP servers within the VPN Manager?
NTP, DHCP, and other servers are configured in the Configuration | System | Servers section of the VPN Manager.
38What is the most significant event severity level?
Level 1 is the most significant event severity level on the Cisco VPN 3000 Concentrator.
39What Microsoft Windows operating systems can support the Cisco VPN Client?
The Cisco VPN Client can operate on Microsoft Windows 95, 98, 98 SE, Me, NT, 2000, and XP operating systems.
40What programs are available within the VPN Client installation?
The VPN Client installs the following applications: Certificate Manager, Help, Log Viewer, Set MTU, Uninstall VPN Client, and VPN Dialer.
41What is a unique preshared key?
A unique preshared key is one that is associated with a specific IP address.
42What type of cable does the console port require on VPN concentrators?
VPN concentrator console cables are straight-through RS-232 serial cables with a female DB-9 connector.
43What is the default administrator name and password for VPN concentrators?
The default VPN concentrator administrator name and password is admin/admin.
44How do you get your web browser to connect to the VPN concentrator’s manager application?
To connect to the VPN Manager, simply enter the IP address of the concentrator’s Private interface in the Address box of the browser.
Chapter 4— Q&A 513
45What is the first screen that appears when you click the Click here to start Quick Configuration option in the VPN Manager?
The first screen of the VPN Manager’s Quick Configuration is the IP Interfaces screen.
46If you select Internal Server as the method of user authentication, what additional screen does the Quick Configuration system give you?
When you select Internal Server as the method of user authentication, you must then configure the users and their passwords, so the VPN Manager provides the User Database screen.
47When do configuration changes become active on the Cisco VPN 3000 Series Concentrators?
Configuration changes take effect immediately on the VPN concentrators.
48When reviewing the list of attributes for a group, what does it mean when an attribute’s Inherit? box is checked?
Checking the Inherit? box for an attribute means that the attribute will always be inherited from the Base Group.
49What is a realm in relation to user authentication?
The Internal authentication server can use a qualified username for authentication. The qualified name takes the form of username@group. The @group portion is called the realm. You can set a group’s attribute to not use the realm portion for authentication.
50What is split tunneling?
Split tunneling allows some traffic to pass over the connection to the concentrator that is unprotected by IPSec.
51What management protocols can you configure on the VPN concentrator?
VPN Manager allows you to configure FTP, HTTP/HTTPS, TFTP, Telnet, SNMP, SNMP Community Strings, SSL, SSH, and XML.
52What is the process a VPN Client uses to connect to a VPN concentrator when load balancing is used between two or more VPN concentrators?
The VPN Client initially tries to connect to the virtual IP address of the cluster. The cluster master intercepts the call and sends the client the public IP address of the least-loaded available concentrator. The client then uses that address to negotiate an IPSec session.
Chapter 5— Do I Know This Already? 515
63What does the Authentication option RADIUS with Expiry provide?
RADIUS with Expiry lets the user know that his password has expired and permits the user to select a new password.
64What tunneling protocol can be configured on the VPN concentrator to support the Microsoft Windows 2000 VPN client?
L2TP over IPSec is the protocol that is required to support Microsoft Windows 2000 VPN clients. This option is available on the VPN concentrators.
65How does the VPN 3000 Concentrator handle software updates for VPN Software Clients?
The VPN 3000 Concentrator provides a message to the clients during login. The message provides a location for downloading the updated software version.
66How do you start the VPN Client on a Windows system?
From the Windows Desktop, choose Start, Programs, Cisco Systems VPN Client, VPN Dialer.
Chapter 5—Do I Know This Already?
1What Public Key Cryptography Standard (PKCS) is used to enroll with a CA?
PKCS #10 is the standard form generally used to request certificate enrollment with a CA.
2What field in the certificate request should match the IPSec group name on the VPN concentrator?
The Organization Unit (OU) should match the IPSec group name on the VPN concentrator.
3What elements make up the X.500 distinguished name?
Six fields make up the X.500 distinguished name: Common Name (CN), Organizational Unit (OU), Organization (O), Locality (L), State/Province (SP), and Country (C).
4What default algorithm type and key size does the VPN concentrator use on the certificate request?
The VPN concentrator uses RSA 512 keys as the default on the certificate request.
516 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Sections
5What entity is responsible for generating the Public Key Infrastructure (PKI) public/ private key pair for a requesting host?
The host itself must generate the PKI public/private key pair and include the public key with the enrollment request sent to the CA.
6When are Secure Sockets Layer (SSL) certificates required on a VPN concentrator?
SSL certificates are required on a VPN concentrator when you want to establish secure communications between the concentrator and the browser on the administrator’s workstation.
7What is the first certificate that must be installed on a VPN concentrator before you can install any other certificates from a given CA?
You must install the root certificate from a CA before you can install any other certificates from that CA on a VPN concentrator.
8What two enrollment methods are available on a VPN concentrator?
The VPN concentrator allows you to perform a manual enrollment using a PKCS #10 request or an automated enrollment using the Simple Certificate Enrollment Process (SCEP).
9Where does a VPN concentrator obtain the root CA’s public key?
The VPN concentrator obtains the root CA’s public key from the root certificate.
10During the authentication process, where does a VPN concentrator find the original hash that the CA calculated for an identity certificate?
The VPN concentrator extracts the original hash that the CA calculated for an identity certificate from the digital signature on the certificate. This signature is decrypted using the CA’s public key from the root certificate.
11When you select to cache Certificate Revocation Lists (CRLs) on the VPN concentrator, where are they stored?
Enabling CRL caching on the VPN concentrator permits the concentrator to store CRLs in volatile memory.
12With CRL caching disabled, how does a VPN concentrator check a certificate’s serial number against a CRL?
When caching is disabled, the VPN concentrator must request a CRL from one of the CA’s distribution points each time it needs to check a certificate’s serial number.
Chapter 5— Q&A 517
13Using the VPN Manager, where would you look to check the status of a certificate enrollment process?
To check the status of a certificate enrollment process using the VPN Manager, select Administration | Certificate Management from the table of contents. The last section on this screen displays enrollment status.
14When configuring digital certificate support on a VPN concentrator, where do you identify which certificate to use for Internet Key Exchange (IKE) Phase 1 negotiations?
When configuring digital certificate support on a VPN concentrator, the certificate to use is identified on the Configuration | Policy Management | Traffic Management | Security Associations | Add/Modify screen.
15What must be in place on a client’s PC before you can configure the VPN Client for certificate support?
Before you can configure the VPN Client for certificate support, you must install a root certificate and an identity certificate in the browser.
16Which screen do you use to enable the use of digital certificates for device authentication during IKE Phase 1 negotiations?
The Authentication tab on the Properties page for a defined connection permits you to select between using preshared keys and digital certificates for IKE Phase 1 authentication.
Chapter 5—Q&A
1What must be in place on a client’s PC before you can configure the VPN Client for certificate support?
Before you can configure the VPN Client for certificate support, you must install a root certificate and an identity certificate in the browser.
2What two methods are available on the VPN concentrator for installing certificates obtained through manual enrollment?
To install certificates on the VPN concentrator that were obtained through manual enrollment, you can either cut and paste the text from the PEM-configured file or upload the file from your workstation.
3What could cause a digital certificate to be revoked by the CA?
The CA might revoke a certificate if something changed to affect the user’s distinguished name, if a certificate’s keys became compromised, or if the hardware owner of the key gets taken out of service.