[TABS_R id=8782]
Which of the following are not default values in an IKE policy on an ASA running software version 8.4 or higher? (Select 2 choices.)
- PSKbased authentication method
- 168bit DES encryption algorithm
- 1024bit DH group
- MD5 hash algorithm
- 14,400second lifetime
Explanation:
The Message Digest 5 (MD5) algorithm and a 14,400second lifetime are not default values in an Internet Key Exchange (IKE) policy on a Cisco Adaptive Security Appliance (ASA) running software version 8.2. Virtual private network (VPN) peers establish a connection through a series of negotiations and authentications. Initially, the VPN peers negotiate an IKE security association (SA) and establish a tunnel for key management and authentication. This initial phase is referred to as IKE phase 1. The key management tunnel is used to protect the subsequent negotiation of IP Security (IPSec) SAs. This secondary negotiation phase is referred to as IKE phase 2.
Each VPN peer defines a collection of security parameters in an IKE policy. These parameters are used to negotiate the creation of the key management tunnel in IKE phase 1. There are six required parameters in an IKE policy:
– Policy priority – specifies the order in which policies are negotiated with a peer
– Authentication method – indicates whether a preshared key (PSK) or an RSA digital certificate is used to verify the identity of an IKE peer
– Encryption algorithm – indicates the data protection method used to secure IKE traffic
– Hashbased Message Authentication Code (HMAC) algorithm – indicates the data integrity method used to verify the integrity of IKE traffic
– DiffieHellman (DH) group – specifies how keying material is generated between IKE peers
-Lifetime – specifies the length of time that a key is considered valid? the default is 86,400 seconds, or 24 hours
If an IKE policy does not specify a parameter and its associated value, the ASA will use the default value. The default IKE policy settings are shown below:
The default IKE policy settings are combined with the configuration parameters specified in the running configuration. For example, because the following block of commands does not specify an HMAC algorithm, an ASA running software revision 8.4 or higher would use the default value, which is SHA1:
ASA(config)#crypto ikev1 policy 1
ASA(configikev1policy)#authentication rsasig
ASA(configikev1policy)#encryption aes 192
ASA(configikev1policy)#group 1
ASA(configikev1policy)#lifetime 14400
In order for VPN peers to successfully negotiate a key management tunnel during IKE phase 1, the peers must agree on security parameters. For example, when ASA1 sends an IKE policy proposal to ASA2, the IKE policy is compared with the IKE policies defined on ASA2. The proposed policy must be an exact match to one of ASA2’s locally defined policies? otherwise, it will be rejected. The one exception to this rule is the value of the IKE lifetime parameter. An IKE lifetime is considered a match if the value specified by the remote peer is less than or equal to the IKE lifetime defined in the local policy. If the IKE lifetime value is less than that of the local policy, the ASA will use the lesser of the two values.
[TABS_R id=8782]