Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
30 Cards in this Set
- Front
- Back
|
What IP Protocols are relevant for secured connectivity?
|
AH - 51 ESP - 50 GRE - 47 ISAKMP - UDP400
|
|
|
What do DMVPNs rely on?
|
mGRE (Multipoint GRE) and NHRP (Next Hope Resolution Protocol)
|
|
|
What is a GET VPN?
|
New WAN encryption technology from Cisco that doesn't rely on tunnels. All trusted group members use common security methodology.
|
|
|
Create an ISAKMP policy.
|
conf t crypto isakmp enable crypto isakmp policy 100 encryption aes-192 hash sha authentication pre-share (rsa-sig) group 5
|
|
|
Create an IPSEC transform set
|
cont t crypto ipsec transform-set MYSET esp-aes-192 esp-sha-hmac
|
|
|
Setup a preshared key
|
crypto isakmp key PASSWORD address 10.0.0.14
|
|
|
Create a crypto map and apply to interface
|
conf t crypto map MAPNAME 10 ipsec-isakmp match address 100 set peer 10.0.0.14 set transform-set MYSET security-association lifetime seconds 86400 exit int fa0/0 crypto map MAPNAME
|
|
|
What key show commands are there?
|
show crypto isakmp policy show crypto ipsec policy show crypto isakmp sa show crypto ipsec sa show crypto engine connections active
|
|
|
What preperation is necessary before obtaining a certificate?
|
Confirm time and time zone set a host name for the router set a domain name for the router setup DNS or a host entry for the CA server
|
|
|
How do you generate a local key pair on a router?
|
conf t crypto key generate rsa
|
|
|
How do you setup and authenticate a CA?
|
hostname R1_7206ip domain-name cisco.comip name-server 10.1.1.10ip host vpnca 10.1.1.12crypto key generate rsa crypto trustpoint VPNCA enrollment url http://VPNCA:80crypto ca authenticate VPNCAcrypto ca enroll VPNCA
|
|
|
How do you add a route for the remote destination network with a GRE tunnel?
|
conf t ip route 10.1.0.0 0.0.0.255 tunnel 0
|
|
|
What ACL do you need to use IPSEC with GRE?
|
conf t access-list 140 permit gre host 192.168.0.1 host 10.0.0.1
|
|
|
How do you create an ISAKMP key for use with dynamic end points?
|
conf t crypto iskamp key PASSWORD address 0.0.0.0 0.0.0.0
|
|
|
Configure a mGRE interface on a HUB router including ipsec profile assignment and NHRP?
|
conf t int tunnel 0 ip add 192.168.1.1 255.255.255.0 tunnel source fa0/1 tunnel mode gre multipoint ip nhrp authentication TESTDMVPN ip nhrp map multicast dynamic ip nhrp network-id 99 ip nhrp hold-time 300 tunnel key 100 tunnel protection ipsec profile DMVPN
|
|
|
Configure a DMVPN Connection between a hub and a router.
|
!! HUB ROUTER CONFIGURATIONcrypto isakmp policy 10 encr 3des authentication pre-share group 2crypto isakmp key cisco address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set strong esp-3des esp-sha-hmac!crypto ipsec profile PROTECT set transform-set strong!interface Tunnel0 ip address 10.2.1.1 255.255.255.0 <-- TUNNEL IP ip hold-time eigrp 100 35 no ip next-hop-self eigrp 100 <-- allow spoke to spoke routing ip nhrp authentication DMVPN ip nhrp map multicast dynamic ip nhrp network-id 99 ip nhrp holdtime 300 no ip split-horizon eigrp 100 <-- allow spoke ot spoke routing tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile PROTECT!router eigrp 100 network 10.1.1.0 0.0.0.255 network 10.2.1.0 0.0.0.255 no auto-summary!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! SPOKE CONFIGURATIONcrypto isakmp policy 10 encr 3des authentication pre-share group 2crypto isakmp key cisco address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set strong esp-3des esp-sha-hmac!crypto ipsec profile PROTECT set transform-set strong!interface Tunnel0 ip address 10.2.1.2 255.255.255.0 <-- Tunnel Address no ip next-hop-self eigrp 100 ip nhrp authentication DMVPN ip nhrp map 10.2.1.1 100.1.1.2 <-- static map, Tun Add Real Address ip nhrp map multicast 100.1.1.2 <-- Key for routing, Real Address ip nhrp network-id 99 ip nhrp holdtime 300 ip nhrp nhs 10.2.1.1 no ip split-horizon eigrp 100 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile PROTECT!router eigrp 100 network 10.1.2.0 0.0.0.255 network 10.2.1.0 0.0.0.255 no auto-summary
|
|
|
What was GET VPN designed for?
|
To be a low overhead, any to any VPN technology that could be used for voice, video and data networks
|
|
|
What does MPLS VPN not have that GET VPN does?
|
End to end encryption
|
|
|
Over what networks can GET VPN be deployed?
|
Any, IP, MPLS, Frame Relay or ATM
|
|
|
Why would you use GET VPN with DMVPN?
|
DMVPN can be used over a public network from private Ips, and GET VPN reduces the latency and delay from tunnel negotioation.
|
|
|
What is GDOI?
|
Group Domain of Interpretation Protocol - GET VPN protocol that is used between Group Member and Group Key Server to transmit SA and keying information. Runs on UDP 848.
|
|
|
What is the GCKS?
|
Group Controller/Key Server - maintains policy and creates SAs and keys in a GET VPN deployment.
|
|
|
What are the two keys in GET VPN?
|
TEK - Traffic Encryption Key KEK - Key Encryption Key
|
|
|
What are the three steps in a GET VPN setup and communication?
|
1. Group Members come online and registers with the GCKS receiving the SA and keys for transmission 2. Group members transfer data directly between themselves using the TEK. 3. When needed the GKCS sends rekeying information with the KEK
|
|
|
What protects GDOI traffic?
|
An ISAKMP Phase 1 tunnel
|
|
|
What are the four steps in GDOI registration?
|
1. Member sends the HDR, HASH, Nonce, and group ID to GKCS 2. GKCS sends the HDR, HASH, Nonce, and SA 3. The member sends an HDR and HASH to GCKS 4. The GCKS sends HDR, HASH, and keys
|
|
|
Why is GET VPN tunneless?
|
the original IP header maintained
|
|
|
How is traffic to be sent through a GET VPN identified?
|
By the Group Member ACL on the GCKS that is pushed to members.
|
|
|
Configure a GET VPN key server and group member
|
! GET VPN Key Server!crypto key generate rsa exportable general-key label getvpn-export-general!crypto isakmp policy 10 encr 3des authentication pre-share group 2crypto isakmp key cisco address 100.1.1.6crypto isakmp key cisco address 100.1.1.10!crypto ipsec transform-set strong esp-3des esp-sha-hmac!crypto ipsec profile GDOI-PROTECT set transform-set strong!crypto gdoi group GETVPN identity number 1234 server local rekey retransmit 10 number 2 rekey authentication mypubkey rsa getvpn-export-general rekey transport unicast sa ipsec 1 profile GDOI-PROTECT match address ipv4 110 replay time window-size 5 address ipv4 100.1.1.2 redundancy local priority 100!access-list 110 permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! GET VPN Group Member!crypto isakmp policy 10 encr 3des authentication pre-share group 2crypto isakmp key cisco address 100.1.1.2!crypto gdoi group GETVPN identity number 1234 server address ipv4 100.1.1.2!crypto map GETVPN 10 gdoi set group GETVPN!interface FastEthernet0/0 ip address 100.1.1.10 255.255.255.252 speed 10 full-duplex crypto map GETVPN
|
|
|
What show commands are handy for GET VPN?
|
show crypto isakmp ka show crypto gdoi show crypot gdoi ks acl show crypto gdoi ks members show crypot gdoi ks policy show crypot gdoi ks rekey show crypto gdoi ks replay show crypto session detail show crypto gdoi gm rekey show crypto gdoi gm acl
|
