Company XYZ has designed their network to run GRE over IPsec on their Internet-based VPN to connect two sites. Which IPsec tunneling feature can they enable to optimize the data flow while ensuring that the headers contain no duplicate IP addresses?
I think correct ans is C.
In transport mode, IPsec encrypts only the payload (data portion), leaving the original IP header intact. This minimizes overhead in the GRE tunnel and ensures that the header does not contain duplicate IP addresses. This helps optimize data flow in a GRE over IPsec setup.
Correct answer is D
By using tunnel mode, the original IP packet, including the GRE header, is encapsulated within a new IP packet with a different IP address. This ensures that the headers contain unique IP addresses and prevents any conflicts or duplication of IP addresses
Tunnel Mode in IPsec Phase II: This mode encapsulates the entire IP packet, including the original source and destination IP addresses, within the IPsec tunnel. This ensures that the headers of the encapsulated packet do not contain duplicate IP addresses, preventing potential routing issues.
After careful research the answer is actually C. GRE headers are enough to hide original IP packet headers and enable transport over public IP addresses.
In IPsec Phase II, the tunnel mode is used to encapsulate the entire IP packet within a new IP packet, creating an outer IP header. This mode is typically used for site-to-site VPN connections, such as in the case of GRE over IPsec.
By using tunnel mode, the original IP packet, including the GRE header, is encapsulated within a new IP packet with a different IP address. This ensures that the headers contain unique IP addresses and prevents any conflicts or duplication of IP addresses.
D. Tunnel Mode in IPsec Phase II
Explanation: When using a VPN for site-to-site connections, like the GRE over IPsec setup mentioned, Tunnel Mode is usually used. In Tunnel Mode, the entire original IP packet is encapsulated and becomes the payload in a new IP packet. This allows for a new IP header to be added, preventing duplicate IP addresses in the headers.
IPsec has two main modes of operation: Tunnel Mode and Transport Mode. Transport Mode only encrypts the payload and ESP trailer being sent between two parties but leaves the header untouched, while Tunnel Mode encrypts the entire original packet, making it the payload in a new packet with a new header.
Phase II in IPsec negotiation is where the actual tunnel is created and the mode (Tunnel Mode or Transport Mode) is selected, thus the option 'Tunnel Mode in IPsec Phase II' would be correct.
Changed my mind to C Explanation:
The purpose of using GRE over IPsec is to provide a mechanism for encapsulating packets from protocols that aren't supported natively by IPsec (like multicast packets, which are used by many routing protocols). GRE provides the encapsulation and IPsec provides the encryption.
In this setup, IPsec in Transport mode will encrypt the entire inner packet (which includes the inner IP header originally sent by the host), and the original, unmodified IP header will be used to route the packet across the internet.
In contrast, Tunnel mode would add another (unnecessary) IP header, leading to inefficient use of bandwidth. Therefore, Transport mode is more suitable when used in conjunction with GRE.
See link below - After implementing the previous solution, you realize that every packet has duplicate IP addresses in the header. You need to keep the GRE tunnel but eliminate the duplicate IP addresses in the header of every packet.
To resolve this task, you must change the mode to Transport.
https://www.ciscopress.com/articles/article.asp?p=2803868&seqNum=3
upvoted 1 times
...
...
This section is not available anymore. Please use the main Exam Page.400-007 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
bdp123
Highly Voted 1 year, 11 months agokalulosu
Most Recent 3 months, 1 week agoanonymousch
6 months, 1 week agoDoobiedoo
8 months, 2 weeks agoJentti
1 year, 10 months agoJ_W
1 year, 11 months agoJ_W
1 year, 11 months agoSFXY
1 year, 11 months agoSFXY
1 year, 11 months agobdp123
1 year, 11 months ago