Exam 300-730 topic 1 question 6 discussion

i tested every answer in my lab and this is my finding. - only when a tunnel interface is used crypto map tag is Tunnel1-head-0 - only when tunnel mode is ipsec the local and remote ident are 0.0.0.0/0.0.0.0/0/0 - as soon as gre is used local and remote ident are (15.1.1.1/255.255.255.255/47/0) so i would choose D (FlexVPN with sVTI) and E (VTI when configured static)

B and E are correct. Remember crypto maps are applied to physical interfaces.

I got those results from LAB, only for DMVPN and VTI. VlexVPN has Virtual-access interface, NOT Tunnel interface. GRE-only tunnel doesnt use IPSEC so it wont show up in IPSEC SA command and Crypto map is not used for tunnel interfaces.

Analysing the result of the command 'show crypto ipsec sa', I received the same result for both Flexvpn and DMVPN. Therefore the correct answer is BD

FlexVPN-Client#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 200.1.10.2 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 200.1.10.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 200.1.10.2, remote crypto endpt.: 200.1.10.1 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1/0 current outbound spi: 0xA9A19C6B(2845940843) PFS (Y/N): N, DH group: none

D and E are correct. This output is from a Cisco FlexVPN client/server configuration. This is the client side with VTI !!!!

VTI#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 10.10.10.2 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 12.12.12.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.10.10.2, remote crypto endpt.: 12.12.12.2 plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none

GETVPN#sh crypto ipsec sa interface: Ethernet0/0 Crypto map tag: GVPN-MAP, local addr 172.16.10.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.0.0.0/255.252.0.0/0/0) remote ident (addr/mask/prot/port): (10.0.0.0/255.252.0.0/0/0) Group: GROUP5 current_peer 0.0.0.0 port 848 PERMIT, flags={} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.16.10.2, remote crypto endpt.: 0.0.0.0 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0 current outbound spi: 0x3665FF29(912654121) PFS (Y/N): N, DH group: none

GRE-CRYPTO-MAP#sh crypto ipsec sa interface: Ethernet0/0 Crypto map tag: OUTSIDE-MAP, local addr 10.10.10.2 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer 12.12.12.2 port 500 PERMIT, flags={origin_is_acl,ipsec_sa_request_sent} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.10.10.2, remote crypto endpt.: 12.12.12.2 plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none

DMVPN#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 209.165.201.2 protected vrf: (none) local ident (addr/mask/prot/port): (209.165.201.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (192.0.2.3/255.255.255.255/47/0) current_peer 192.0.2.3 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3 #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 209.165.201.2, remote crypto endpt.: 192.0.2.3 plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb (none) current outbound spi: 0xD1325E27(3509739047) PFS (Y/N): N, DH group: none

According to lab outputs A and E are correct

for whoever tested it in the lab, For flexvpn the output of show crypto ipsec sa, starts with the following: CSR1#show crypto ipsec sa interface: Virtual-Access // not interface: Tunnel0 So it should be B and E

I built this in a lab and concur with nospampls results. Note that "show crypto ipsec sa" on a DMVPN will show port 47 as it is using mGRE. VTI with IKEv2 produces the 0.0.0.0/0.0.0.0/0/0 output as shown in the example. Since the question is asking for "tunnel" type that means only possible answers are D and E

crypto map is NOT a "tunnel type",. DMVPN and GETVPN are VPN types, Not Tunnel Types

It asks for tunnel type. it should be C and E.

Should be A and E, there is no reference to protocol 47 (GRE) in the output. Also the output shows acl, which implies crypto map. All of the local and remote idents are "0", indicating raw IPsec.