Written Lab

Written Lab

This section asks you 10 write-in-the-answer questions to help you understand the technology that you need to know in order to pass the SECUR exam.

1.What are the four tasks required for IPSec using pre-shared keys?

2.What are the five tasks required for IPSec using CA?

3.What IKE authentication method would you use for RSA-encrypted nonces?

4.What command must you type before you can manually enter the public key of a remote device into your local device?

5.What is the first configuration step required when configuring IPSec with CA?

6.What command is used to configure a pre-shared key on a device?

288 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

7.What command can be used to show the configuration of all crypto maps currently configured on a device?

8.What is the default message-encryption algorithm used by IKE?

9.What command would be used to create a crypto map sequence that didn’t use IKE?

10.What IKE authentication method would you use for CA?

Review Questions

1.Which of the following statements are true about the crypto ipsec security-association lifetime command? (Choose all that apply.)

A.It configures global IPSec SA lifetime values used when negotiating IPSec SAs.

B.It can configure the global IPSec SA lifetime values based on kilobytes.

C.It defines the outbound traffic to be protected by IPSec.

D.The values can be overridden for a crypto map.

2.Which of the following commands can be used to specify Diffie-Hellman group 1 or group 2 for a crypto map?

A.set peer

B.group

C.set pfs

D.None of the above

3.Which of the following commands would you use to reset all IKE SAs configured on a device?

A.clear crypto sa counters

B.clear crypto isakmp

C.clear crypto isakmp *

D.clear crypto isakmp conn-id

4.Which of the following would be a more secure approach for configuring pre-shared keys between peers?

A.Use the same key on all peers.

B.Use different keys on every device.

C.Use different keys for every pair of peers.

D.Use the same key for every pair of peers.

5.Which of the following commands can be used to provide error messages that occur for IKE events?

A.show crypto isakmp log

B.debug crypto ipsec

C.show crypto ipsec sa

D.debug crypto isakmp

290 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

6.When creating more than one crypto map sequence, what does a low sequence number represent?

A.Low priority

B.High priority

C.The total number of interfaces the sequence can be applied to

D.It has no relevance.

7.Why do you need to pay attention when entering peer RSA public keys?

A.Once a key is entered, there is no way to change it.

B.Improperly entered keys can cause IPSec peers to never form.

C.They are long.

D.You don’t enter RSA public keys.

8.Which of the following IKE authentication methods require you to manually generate keys? (Choose all that apply.)

A.pre-shared

B.rsa-sig

C.rsa-encr

D.rsa-ca

9.Which of the following are required to configure RSA keys? (Choose all that apply.)

A.Configure the device’s hostname.

B.Configure the device’s domain name.

C.Configure an encryption method.

D.Manage the keys.

10.Which of the following commands verifies the configuration of IKE policies?

A.show crypto isakmp sa

B.show crypto map

C.show crypto ike policy

D.None of the above

11.Which of the following commands would you use when verifying network connectivity during the preparing for IPSec phase?

A.telnet

B.ping

C.show running-configuration

D.show startup-configuration

12.What command is used to enable IKE?

A.show crypto isakmp policy

B.crypto isakmp key

C.crypto isakmp policy

D.crypto isakmp enable

13.Which of the following commands will display information about all of the certificates on a device?

A.show crypto ca certificates

B.show ca certificate

C.show crypto ca all

D.show crypto ca roots

14.Which of the following steps must be completed in order to support IPSec with CA? (Choose all that apply.)

A.Configure a CA server.

B.Configure CA support.

C.Configure IKE.

D.Configure IPSec.

15.Which of the following commands configures an IP address-to-hostname mapping?

A.ip host

B.hostname

C.ip domain-name

D.ip map host

16.For which of the following must you define a domain name? (Choose all that apply.)

A.IPSec with pre-shared keys

B.IPSec-manual

C.IPSec with RSA-encrypted nonces

D.IPSec with CA

17.When setting the IKE identity of a peer to a hostname, when would you need to specify the IP address of the peer?

A.Always

B.When DNS is working for name resolution

C.When DNS is not working for name resolution

D.Never

292 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

18.How many transforms can be associated with a transform set?

A.1

B.2

C.3

D.4

19.Which of the following are steps needed to configure IPSec? (Choose all that apply.)

A.Create an access list.

B.Create a transform set.

C.Create an IKE policy.

D.Apply a crypto map to an interface.

20.Which of the following types of access lists can be used for IPSec? (Choose all that apply).

A.Extended IP access lists

B.Standard IP access lists

C.Extended named IP access lists

D.Standard named IP access lists