Review the IPsec phase 1 configuration in the exhibit; then answer the question below. 〖查看图示IPsec阶段1配置,然后回答下面的问题〗
Which statements are correct regarding this configuration? (Choose two)〖哪些关于这个配置的描述是正确的?(选择两个)〗
A. The remote gateway address on 10.200.3.1. 〖远程网关地址是10.200.3.1〗
B. The local IPsec interface address is 10.200.3.1. 〖本地IPsec接口地址是10.200.3.1〗
C. The local gateway IP is the address assigned to port1.〖本地网关IP地址分配给端口1〗
D. The local gateway IP address is 10.200.3.1.〖本地网关IP地址是10.200.3.1〗
【分析】
IPsec 阶段1设置中,IP地址是需要连接到远程的设备的外网地址,接口是本地设备访问外网的接口。
【答案】AC
Review the IPsec diagnostics output of the command diagnose v*n tunnel list shown in the exhibit. 〖下列图示查看命令diagnose v*n tunnel list 的IPsec诊断输出〗
Which statements is correct regarding this output? (Select one answer)〖哪些关于这个输出的描述是正确的?(选择一个答案)〗
A. One tunnel is rekeying.〖一条隧道是密匙更新〗
B. Two tunnels are rekeying.〖二条隧道是密匙更新〗
C. Two tunnels are up.〖两条隧道启用〗
D. One tunnel is up.〖一条隧道启用〗
【分析】
IPSEC使用DPD(dead peer detection)功能来检测对端peer是否存活。隧道Remote_1、Remote_2的dpt,mode都等于active,表明两条隧道都是启用的。
【答案】C
Which IPsec mode includes the peer id information in the first packet?〖哪些IPsec模式在第一个包里包含 peer id 信息?〗
A. Main mode. 〖主模式〗
B. Quick mode.〖快速模式〗
C. Aggressive mode.〖野蛮模式〗
D. IKEv2 mode.〖IKEv2模式〗
【分析】
在野蛮模式中,两端可以使用源地址或peer ID来识别对方。
在IPsec v*n第1阶段的设置中,只有选择野蛮模式,才会出现peer ID选项。
【答案】C
Review the static route configuration for IPsec shown in the exhibit; then answer the question below. 〖查看下列图示显示的关于IPsec的静态路由配置,然后回答下面问题〗
Which statements are correct regarding this configuration? (Choose two)〖哪些关于这个配置的描述是正确的?(选择两个)〗
A. Interface remote is an IPsec interface.〖接口远端是IPsec接口〗
B. A gateway address is not required because the interface is a point-to-point connection.〖因为接口是一个点对点连接,所以不需要网关地址〗
C. A gateway address is not required because the default route is used.〖因为使用的是默认路由,所以不需要网关地址〗
D. Interface remote is a zone.〖接口远端是区域〗
【分析】
【答案】AB
Review the configuration for FortiClient IPsec shown in the exhibit. 〖查看下列图示显示的 FortiClient IPsec 配置〗
Which statement is correct regarding this configuration?〖哪些关于这个配置的描述是正确的?〗
A. The connecting v*n client will install a route to a destination corresponding to the student_internal address object. 〖连接v*n客户端将安装一个路由到类似student_internal地址对象的终点〗
B. The connecting v*n client will install a default route. 〖连接v*n客户端将安装一条默认路由〗
C. The connecting v*n client will install a route to the 172.20.1.[1-5] address range.〖连接v*n客户端将安装一条路由到172.20.1.[1-5]地址范围〗
D. The connecting v*n client will connect in web portal mode and no route will be installed. 〖连接v*n客户端将连接到web门户模式并且没有路由会被安装〗
【分析】
在建立FortiClient拨号v*n的时候可以看到,地址接口和地址,就是拨号v*n接通后从远程可以访问的地址,客户端地址范围就中拨号v*n拨通后自动生成的IP地址。
【答案】A
Which statement is an advantage of using a hub and spoke IPsec v*n configuration instead of a fully-meshed set of IPsec tunnels? 〖使用星状IPsec v*n配置替代网状IPsec隧道设置的优势是什么?〗
A. Using a hub and spoke topology provides full redundancy. 〖使用星状拓扑实现完全冗余〗
B. Using a hub and spoke topology requires fewer tunnels.〖使用星状拓扑所需的隧道更少〗
C. Using a hub and spoke topology uses stronger encryption protocols.〖使用星状拓扑使用更强的加密协议〗
D. Using a hub and spoke topology requires more routes.〖使用星状拓扑需要更多的路由〗
【分析】
Hub-and-Spoke相对其它拓扑而言生成的通道最少。
【答案】B
Review the IPsec diagnostics output of the command diagnose v*n tunnel list shown in the exhibit. 〖下列图示查看命令diagnose v*n tunnel list 的IPsec诊断输出〗
Which statements is correct regarding this output? (Choose two)〖哪些关于这个输出的描述是正确的?(选择二个)〗
A. The connecting client has been allocated address 172.20.1.1. 〖客户端连接分配地址172.20.1.1〗
B. In the Phase 1 settings,dead peer detection is enabled.〖在阶段1,dpt是开启的〗
C. The tunnel is idle.〖隧道是空闲的〗
D. The connecting client has been allocated address 10.200.3.1. 〖客户端连接分配地址10.200.3.1〗
【分析】
IPSEC使用DPD(dead peer detection)功能来检测对端peer是否存活。隧道FClient_0的dpt,mode等于active,表明dpd是启用的。src目标地址是0.0.0.0,dst源地址是172.20.1.1,因为是在防火墙上进行诊断,所以源地址就是客户端拨号产生的地址。
【答案】AB
Review the IPsec phase 2 configuration shown in the exhibit; then answer the question below.〖查看图示IPsec阶段2配置,然后回答下面的问题〗
Which statement is correct regarding this configuration?〖哪些关于这个配置的描述是正确的?〗
A. The Phase 2 will re-key even if there is no traffic.〖阶段2即使没有流量也会重新更新**〗
B. There will be a DH exchange for each re-key.〖每次DH交换也会重新更新**〗
C. The sequence number of ESP packets received from the peer will not be checked.〖从对方接收到的ESP数据包的***将不会被检查〗
D. Quick mode selectors will default to those used in the firewall policy. 〖防火墙策略默认使用快速模式选择器〗
【分析】
Autokey Keep Alive 自动**保持存活的状态为启用。阶段2的**协商到期可能因为没有数据传输,导致IPSec 隧道down,如果有新的数据走隧道传输要求,将会触发隧道重新建立。隧道建立的过程需要时间,在隧道建立期间往往会发生丢包的问题,从而影响某些应用正常工作。最好的解决办法是即使隧道空闲,还会继续协商阶段2的**,同时隧道也不down。这就是参数保持存活的作用。
迪菲-赫尔曼**交换(Diffie–Hellmankey exchange,简称“D–H”) 是一种安全协议。它可以让双方在完全没有对方任何预先信息的条件下通过不安全信道建立起一个**。这个**可以在后续的通讯中作为对称**来加密通讯内容。
【答案】AB
Review the IKE debug output for IPsec shown in the exhibit below. 〖下列图示查看 IPsec 的 IKE 排错输出〗
Which statements is correct regarding this output? 〖哪些关于这个输出的描述是正确的?〗
A. The output is a phase 1 negotiation.〖输入出的是阶段1协商〗
B. The output is a phase 2 negotiation.〖输入出的是阶段2协商〗
C. The output captures the dead peer detection messages.〖输出的是dtd信息〗
D. The output captures the dead gateway detection packets. 〖输入出的是dgd包〗
【分析】
DPD的工作原理是:当IPSec隧道间有双向数据传输时,DPD不发送探测消息;如果只有发出而没有回复数据,或者链路空闲、没有数据传输时,DPD就周期性发送IKE通知消息给对端,如果收到对端ack消息,则表明路径工作正常,反之,则判断路径有故障。
【答案】C
Which statements are correct properties of a partial mesh v*n deployment. (Choose two)〖哪些关于局部网状v*n部署的描述是正确的?(选择两个)〗
A. v*n tunnels interconnect between every single location.〖每个单点之间都有v*n隧道互连〗
B. v*n tunnels are not configured between every single location.〖每个单点之间没有配置v*n隧道〗
C. Some locations are reached via a hub location.〖有些点通到一个中心位置〗
D. There are no hub locations in a partial mesh.〖局部网状态没有中心位置〗
【分析】
Partial Mash 和 Full Mash 是有区别的。
【答案】BC