Pregunta 1
Pregunta
Uses UDP port 500 (and UDP port 4500 when crossing NAT)
Negotiates a tunnel’s private keys, authentication, and encryption
One lPsec SA is used per traffic direction.
Phases:
Phase1
Phase2
Pregunta 2
Pregunta
Phase 1 negotiation modes
Respuesta
-
main mode
aggresive mode
-
main mode
quick mode
Pregunta 3
Pregunta
Phase 2 negotiation mode
Respuesta
-
aggresive mode
-
quick mode
Pregunta 4
Pregunta
takes place when each endpoint of the tunnel—the initiator and the responder—connects and begins to set up the VPN.
Pregunta 5
Pregunta
[blank_start]2.[blank_end] Negotiate one bidirectional SA (called IKE SA) *ln IKE v1, two possible ways: -Main mode: six packets exchanged -Aggressive mode: three packets exchanged *Not the same as final SAs later *Encrypted tunnel for Diffie-Hellman (DH)
[blank_start]1 .[blank_end] Authenticate peers *Pre—shared key or digital signature *Extended authentication (XAuth)
[blank_start]3.[blank_end] DH exchange for secret keys
Pregunta 6
Pregunta
Key agreement method:
Independently calculate a private key using only public keys
Each FortiGate uses a shared secret key plus a nonce to calculate keys for the following:
Symmetric encryption algorithms (such as 3DES, AES)
Symmetric authentication (HMACs)
Pregunta 7
Pregunta
ESP can´t support NAT because it has no port numbers.
Pregunta 8
Pregunta
Negotiates two unidirectional SAs for ESP (called lPsec SAS)
Protected by phase IKE SA
When SAs are about to expire, it renegotiates
Optionally, if Perfect Forward Secrecy is set to Enabled, FortiGate uses Diffie-Hellman to generate new keys each time phase 2 expires.
Each phase 1 can have multiple phase 2s.
High security subnets can have stronger ESP.
Pregunta 9
Pregunta
Also, if you set ____________ to Enable, each time phase 2 expires, FortiGate will use Diffie-Hellman to recalculate new secret keys. In this way, new keys are not derived from older keys, making it much harder for an attacker to crack the tunnel.
Respuesta
-
Perfect Forward Secrecy
-
NAT-Transversal
-
Split tunneling
Pregunta 10
Pregunta
If multiple phase 2 exist, FortiGate directs traffic to the correct phase 2.
Allows granular security settings for each LAN.
If traffic does not match an lPsec SA selector, it is dropped.
ln point-to-pointVPNs, selectors must match.
- The source on one FortiGate is the destination setting on the other.
Select which SA to apply using:
Destination and source IP subnet(s)
Protocol number
Source port and destination port
Respuesta
-
Quick mode selectors
-
Phase 2
-
Phase 1
-
Agressive mode
Pregunta 11
Pregunta
During phase 2, you must configure a pair of settings called quick mode selectors. They identify and direct traffic to the appropriate phase 2. In other words, they allow granular SAs.
Pregunta 12
Pregunta
In aggressive mode, how many packets are exchanged to establish phase 1 of the lPsec tunnel?
Pregunta 13
Pregunta
Which statement about quick mode selectors is true?
Pregunta 14
Pregunta
Settings need in Dialup VPN between two fortigates
Respuesta
-
A phase 1
At least one phase 2
Firewall policies
Static routes or a dynamic routing protocol
-
A phase 1
At least one phase 2
Firewall policies
Static routes or a dynamic routing protocol
IPsec interface
Pregunta 15
Pregunta
Dialup IPsec is also known as
Respuesta
-
A. point-to-point
-
B. point-to—multipoint
Pregunta 16
Pregunta
IKE mode configuration automatically configures network settings?