Answers to Written Lab

Answers to Written Lab

1.The four tasks required for IPSec using pre-shared keys are prepare for IKE and IPSec, configure IKE, configure IPSec, and test and verify IPSec.

2.The five tasks required for IPSec using CA are prepare for IKE and IPSec, configure CA support, configure IKE, configure IPSec, and test and verify IPSec.

3.Use the IKE authentication method rsa-encr for RSA-encrypted nonces.

4.You type the command key-string before manually entering the public key of a remote device into your local device.

5.You must first configure a hostname and a domain name when configuring IPSec with CA.

6.Use the command crypto isakmp key keystring {address peer-address | hostname peer-hostname} to configure a pre-shared key on a device.

7.To show the configuration of all crypto maps currently configured on a device, use the command show crypto map.

8.DES is the default message-encryption algorithm used by IKE.

9.Use the command crypto map map-name seq-num ipsec-manual to create a crypto map sequence that doesn’t use IKE.

10.The IKE authentication method rsa-sig is used for CA.

296 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

Answers to Review Questions

1.A, B, D. The crypto ipsec security-association lifetime command defines the global IPSec SA lifetime based on kilobytes and seconds. This is the amount of time and the number of kilobytes that will pass before an SA needs to be renegotiated. These values can be overridden at the crypto map level.

2.C. To set the Diffie-Hellman group to use for a crypto map, enter the command set pfs {1 | 2} in crypto map configuration mode.

3.C. To reset all active IKE SAs on a device, use the * keyword with the clear crypto isakmp command. If you just want to reset a particular IKE SA, use the clear crypto isakmp connid command.

4.C. When configuring pre-shared keys, each pair of peers must have the same key configured. However, for security you should assign a different key for each pair of peers.

5.D. When you need to know the errors that occur for IKE events, use the debug crypto isakmp command. When you need to view this information for IPSec events, use the debug crypto ipsec command.

6.B. The sequence number of a crypto map sequence represents the priority of the sequence: the lower the sequence number, the higher the priority.

7.B. When manually entering peer RSA public keys, you must pay attention. If a key is entered improperly, it can cause IPSec peers to never form.

8.B, C. When using the RSA-encrypted nonces or the RSA signatures authentication method for IKE, you must manually generate the RSA public/private key pair.

9.A, B, D. When configuring RSA keys, you must plan for RSA, configure the device’s hostname and domain name, generate the keys, manually enter the public keys, and manage the keys.

10.D. When you need to verify the configuration of IKE policies on a device, use the show crypto isakmp policy command. So the only correct answer is D.

11.B. When you need to verify basic network connectivity, use the ping command.

12.D. To enable IKE, which is the first step in creating and configuring IKE policies, use the crypto isakmp enable command.

13.A. To display information about a device’s certificate, the CA server certificate, and any registration authority certificates, use the show crypto ca certificates command.

14.B, C, D. To support IPSec with CA, you must prepare for IKE and IPSec, configure CA support, configure IKE, configure IPSec, and test and verify IPSec.

15.A. To configure a static IP address-to-hostname mapping, use the ip host command.

16.A, C, D. You must configure a hostname and a domain name whenever you configure IPSec using RSA-encrypted nonces or CA. The reason for this is that RSA uses the hostname and the domain name in the identification of a device.

17.C. When the IKE identity of a peer is set to a hostname, you do not need to specify the IP address unless DNS is working for name resolution. You would then need to create a hostname-to-IP address mapping on the device for the remote peer.

18.C. A transform set must have at least one transform associated with it, but can have up to three.

19.A, B, D. When configuring IPSec, you must create the transform set, set the IPSec SA lifetime, create the access list that will specify the traffic to encrypt, create the crypto map, and apply the crypto map to an interface.

20.A, C. IPSec uses extended named or numbered IP access lists for defining the traffic to encrypt.