Which of the following statements is true? (Select the best answer.)

Last Updated on August 2, 2021 by Admin 3

Refer to the following partial sample output from the show crypto ipsec sa command:
<output omitted>
interface: FastEthernet0/0
Crypto map tag: aesmap, local addr 10.10.10.2
protected vrf: (none)
local ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0) remote ident
(addr/mask/prot/port): (172.16.17.0/255.255.255.0/0/0)
current_peer 10.20.20.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.10.10.2, remote crypto endpt.:
10.20.20.2 path mtu 1500, ip mtu 1500, ip mtu idb
FastEthernet0/0 current outbound spi:
0x82E64150(2196128080)
PFS (Y/N): N, DH group: none
<output omitted>

Which of the following statements is true? (Select the best answer.)

  • There is a configuration mismatch between the local peer IP address and the local subnet address.
  • No DH group is configured in the IKE policy.
  • All encrypted traffic will be tagged with the value “aesmap”.
  • At least one IPSec SA is established and operational.
Explanation:
The following partial output from the show crypto ipsec sa command indicates that at least one IP Security (IPSec) security association (SA) is established and operational:
<output omitted>

interface: FastEthernet0/0 

Crypto map tag: aesmap, local addr 10.10.10.2

protected vrf: (none) local ident (addr/mask/prot/port):

(192.168.1.0/255.255.255.0/0/0) remote ident
(addr/mask/prot/port): (172.16.17.0/255.255.255.0/0/0)
current_peer 10.20.20.2 port 500
PERMIT, flags={origin_is_acl,}

#pkts encaps: 2243, #pkts encrypt: 2243, #pkts digest: 2243

#pkts decaps: 2210, #pkts decrypt: 2210, #pkts verify: 2210
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 10.10.10.2, remote crypto endpt.:
10.20.20.2 path mtu 1500, ip mtu 1500, ip mtu idb
FastEthernet0/0
current outbound spi: 0x82E64150(2196128080)
PFS (Y/N): N, DH group: none
<output omitted>
The show crypto ipsec sa command displays detailed information about IPSec SAs, including the IP addresses of the crypto endpoints (IPSec peers), the number of packets encrypted and decrypted, the security protocol, and the corresponding Security Parameter Indices (SPIs). In this scenario, the partial command output indicates that the router should use the outbound SPI with a value of 0x82E64150 (2196128080) when sending encrypted packets from the local peer, 10.10.10.2, to the remote peer 10.20.20.2. The SPI is one of the components used to uniquely identify an IPSec SA.
Each IPSec SA is uniquely identified by its corresponding IPSec peer address, security protocol, and SPI. Because IPSec SAs are unidirectional, two SAs are required between active IPSec peers: an inbound SA and an outbound SA. The SPI associated with the outbound SA is generated by the local peer during phase
2 of the Internet Key Exchange (IKE) negotiation process and is used by the remote peer as the inbound SPI associated with this SA. Likewise, the SPI associated with the inbound SA on the local peer corresponds to the outbound SPI that was generated by the remote peer during its portion of phase 2 negotiations. Once phase 2 negotiations are complete and at least one IPSec SA is operational, the router can begin sending and receiving encrypted traffic. In this scenario, the partial command output indicates that 2,243 packets have been encrypted and 2,210 packets have been decrypted since IKE phase 2 negotiations completed and the IPSec SA was created.
The command output in this scenario does not indicate that a DiffieHellman (DH) group is not configured in the IKE policy. Although the output contains a field named DH groupwith a value of none, this field corresponds to the DH group configured for perfect forward secrecy (PFS), not to the DH group configured in an IKE policy. PFS is used to optionally encrypt IKE keying data during phase 1 negotiations. The PFS (Y/N): N field in the partial output indicates that PFS has not been configured and thus no corresponding DH can be found.
The command output does not indicate that all encrypted traffic will be tagged with the value “aesmap”. The Crypto map tag: aesmap field in the partial command output indicates the name of the IPSec crypto map that is associated with the displayed interface. A crypto map describes which traffic should be encrypted, the remote peer IP address, and the transform set that should be used to encrypt the data.

5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments