238 Chapter 7 Understanding Cisco IOS IPSec Support

Answers to Written Lab

1.IKE phase 1 and IKE phase 2 are the two phases of IKE.

2.The Cisco devices available for IPSec are Cisco routers, CiscoSecure VPN Concentrators, and PIX Firewalls.

3.DES and 3DES are the two symmetric encryption algorithms that provide confidentiality for ESP.

4.Two IPSec SAs are required for a peering session.

5.Remote access, site-to-site, and extranet are the three categories of VPNs.

6.The Cisco IOS Cryptosystem is made up of DES, MD5, DSS, and DH.

7.XAuth provides a method in which IKE can use AAA to authenticate the user after IKE has authenticated the device.

8.L2TP replaced L2F and PPTP.

9.An IPSec transform is a single security protocol with the corresponding security algorithm.

10.A nonce is a pseudo-random number.

Answers to Review Questions

1.A, B, D. The Cisco IOS Cryptosystem consists of DES, MD5, DSS, and DH.

2.A. During IKE phase 1, DH is used to create the private keys, Xa and Xb, and the public keys, Ya and Yb. DH then uses these keys to create the shared secret key ZZ, which is used to encrypt the DES and MD5 keys.

3.B. The first step in using RSA-encrypted nonces requires the user to manually generate the keys. The user must then manually enter the public key created on each device into the device they wish to peer with.

4.C. 3DES is a stronger version of DES that uses three different keys for encrypting data before it is sent to the peer.

5.D. When tunnel mode encapsulation is used, the original IP header is not used to transport the packet. Instead, a new IP header is created using the IP addresses of the IPSec peers as the source and destination of the packet. This mode is great when you are creating a VPN across the Internet because the addresses of the originating devices can be private.

6.D. In Cisco’s Cryptosystem, DES is used to encrypt data, MD5 is used to create a message hash, DSS is used to verify peers by exchanging public keys, and Diffie-Hellman is used to establish private and public keys that will be used to encrypt the keys used by DES and MD5.

7.C. RSA signatures utilize a CA server to issue a device a signed digital certificate. This digital certificate is then exchanged with devices they wish to peer with.

8.A. The CiscoSecure VPN Concentrator allows for remote access users, such as telecommuters, to be securely connected into a corporate network.

9.A. HMAC-MD5 is a hashing algorithm that creates a 128-bit secret key. HMAC-MD5 produces a 128-bit authentication value that is truncated using the first 96 bits. This truncated value is then inserted into the authenticator field of AH or ESP and sent to the peer.

10.A. IPSec functions at Layer 3, the Network layer, of the OSI model.

11.A, C, D. There are three types of VPNs: remote access, site-to-site (a.k.a. intranet), and extranet. Answer B is wrong because there isn’t an externet VPN type.

12.A. Site-to-site VPN solutions allow a company to connect its remote sites to the corporate backbone securely over a public medium such as the Internet, instead of having to use more expensive WAN connections such as Frame Relay.

13.D. IKE mode configuration allows IKE to scale an IPSec policy out to remote users. This is accomplished by allowing a gateway to download an IP address and other network-level configuration to a client during IKE negotiation. This address is then used as the inner IP address to be encapsulated under IPSec.

14.C. During IKE phase 2, IPSec SAs are negotiated, resulting in the formation of an IPSec tunnel.

240 Chapter 7 Understanding Cisco IOS IPSec Support

15.B. L2TP was created by Cisco and Microsoft to replace L2F and PPTP. L2TP merged the functionality of L2F and PPTP into one tunneling protocol. L2TP is backward compatible with L2F.

16.B, D. Each SA has a unique triple identity consisting of a Security Parameter Index (SPI), an IP destination address, and a security protocol (AH or ESP) identifier. So the only correct answers are B and D.

17.C. Remote access VPNs allow remote users, such as telecommuters, to securely access the corporate network whenever and from wherever the need may arise.

18.B. The Cisco IOS Cryptosystem uses DES for the encryption of data.

19.B. L2TP was created by Cisco and Microsoft to replace L2F and PPTP. L2TP merged the functionality of L2F and PPTP into one tunneling protocol.

20.B, C, D. AH provides an integrity check on the whole packet, and anti-replay AH doesn’t offer any encryption services. So answers B, C, and D are correct.