CCIE Security Exam: Cisco 400-251 Configuration Analysis

crypto isakmp profile vpn1 vrf vpn1 keyring vpn1 match identity address 172.16.1.1 255.255.255.255 crypto map crypmap 1 ipsec-isakmp set peer 172.16.1.1 set transform-set vpn1 set isakmp-profile vpn1 match address 101 ! interface Ethernet1/2 crypto map crypmap

Prev Question Next Question

Question

crypto isakmp profile vpn1 vrf vpn1 keyring vpn1 match identity address 172.16.1.1 255.255.255.255 crypto map crypmap 1 ipsec-isakmp set peer 172.16.1.1 set transform-set vpn1 set isakmp-profile vpn1 match address 101 ! interface Ethernet1/2 crypto map crypmap Which statements apply to the above configuration? (Choose two.)

Answers

A. This configuration shows the VRF-Aware IPsec feature that is used to map the crypto ISAKMP profile to a specific VR.

B. VRF and ISAKMP profiles are mutually exclusive, so the configuration is invalid.

C. An IPsec tunnel can be mapped to a VRF instance.

D. Peer command under the crypto map is redundant and not required.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

AC.

The configuration shown is configuring a site-to-site IPsec VPN tunnel using ISAKMP for key management. Let's go through each statement one by one to understand what is happening.

Firstly, the following command creates an ISAKMP profile named "vpn1" that is associated with a VRF named "vpn1":


crypto isakmp profile vpn1 vrf vpn1

This means that the ISAKMP profile will be bound to the VRF named "vpn1". VRF-Aware IPsec is a feature that allows IPsec tunnels to be created in the context of a specific VRF.

Next, the following command configures a keyring named "vpn1" to be used by the ISAKMP profile "vpn1":


keyring vpn1

This keyring contains the pre-shared key or digital certificate used to authenticate the VPN tunnel.

Then, the following command specifies that the remote peer for this IPsec tunnel is the IP address 172.16.1.1:

python
set peer 172.16.1.1

The next command specifies the transform set that will be used for the encryption and authentication of the IPsec tunnel:

python
set transform-set vpn1

This command specifies that the VPN tunnel will use the "vpn1" transform set, which defines the encryption and authentication algorithms to be used for the VPN tunnel.

The following command specifies that the ISAKMP profile named "vpn1" will be used for this IPsec tunnel:

python
set isakmp-profile vpn1

This command associates the ISAKMP profile named "vpn1" with this IPsec tunnel.

Finally, the following command applies the IPsec crypto map named "crypmap" to the interface Ethernet1/2:

python
crypto map crypmap 1 ipsec-isakmp

This command specifies that the crypto map named "crypmap" will be used for this IPsec tunnel.

In summary, the configuration shown creates an IPsec VPN tunnel that is VRF-aware, meaning it is created within a specific VRF context. The VRF-aware feature is made possible by binding the ISAKMP profile to a specific VRF. The configuration also specifies the remote peer, transform set, and crypto map to be used for this IPsec tunnel. The configuration is valid and contains no redundant commands.

Therefore, the correct statements are:

A. This configuration shows the VRF-Aware IPsec feature that is used to map the crypto ISAKMP profile to a specific VRF.
C. An IPsec tunnel can be mapped to a VRF instance.

Prev Question Next Question