Home > IPSec Questions

IPSec Questions

Question 1

The session status for an IPsec tunnel with IPv6-in-IPv4 is down with the error message IKE message from failed its sanity check or is malformed. Which statement describes a possible cause of this error?

A. There is a verification failure on the IPsec packet.
B. The SA has expired or has been cleared.
C. The pre-shared keys on the peers are mismatched.
D. There is a failure due to a transform set mismatch.
E. An incorrect packet was sent by an IPsec peer.


Answer: C

Question 2

Refer to the exhibit.

IPSEC(ipsec process proposal): proxy identities not supported

What is a possible reason for the IPSEC tunnel not establishing?

A. The peer is unreachable.
B. The transform sets do not match.
C. The proxy IDs are invalid.
D. The access lists do not match.


Answer: D

Question 3

What is a disadvantage of using aggressive mode instead of main mode for ISAKMP/IPsec establishment?

A. It does not use Diffie-Hellman for secret exchange.
B. It does not support dead peer detection.
C. It does not support NAT traversal.
D. It does not hide the identity of the peer.


Answer: D

Question 4

Which three statements are functions that are performed by IKE phase 1? (Choose three)

A. It builds a secure tunnel to negotiate IKE phase 1 parameters.
B. It establishes IPsec security associations.
C. It authenticates the identities of the IPsec peers.
D. It protects the IKE exchange by negotiating a matching IKE SA policy.
E. It protects the identities of IPsec peers.
F. It negotiates IPsec SA parameters.


Answer: C D E

Comments (2) Comments
  1. Sambe
    August 7th, 2015

    In my opinion the response to question 2 is B and not D ?

  2. Eissa
    August 9th, 2015

    Proxy Identities Not Supported

    This message appears in debugs if the access list for IPsec traffic does not match.

    1d00h: IPSec(validate_transform_proposal): proxy identities not supported
    1d00h: ISAKMP: IPSec policy invalidated proposal
    1d00h: ISAKMP (0:2): SA not acceptable!

    The access lists on each peer needs to mirror each other (all entries need to be reversible). This example illustrates this point.

    Peer A
    access-list 150 permit ip
    access-list 150 permit ip host host
    Peer B
    access-list 150 permit ip
    access-list 150 permit ip host host

Add a Comment

Reload Image