Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Refer to the exhibit. A network engineer must simplify the IPsec configuration by enabling IPsec over GRE using IPsec profiles. Which two configuration changes accomplish this? (Choose two).
A.
Create an IPsec profile, associate the transform-set ACL, and apply the profile to the tunnel interface.
B.
Apply the crypto map to the tunnel interface and change the tunnel mode to tunnel mode ipsec ipv4.
C.
Remove all configuration related to crypto map from R1 and R2 and eliminate the ACL.
D.
Create an IPsec profile, associate the transform-set, and apply the profile to the tunnel interface.
E.
Remove the crypto map and modify the ACL to allow traffic between 10.10.0.0/24 to 10.20.0.0/24.
The correct answer is:
C. Remove all configuration related to crypto map from R1 and R2 and eliminate the ACL.
D. Create an IPsec profile, associate the transform-set, and apply the profile to the tunnel interface.
a somewhat easy cheatsheet for the exam:
you need 1 "remove" and 1 "IPSec profile."
this rules out B right away
there is no transform set ACL, so that kills A
the ACL is technically a GRE ACL on outside interface.
so you are left with D as the "IPSec profile."
then whatever you do, it will be on both routers due to vpn symmetry in configs
So that rules out E, since it doesnt reference both routers.
So you are left with C as he "remove"
C & D have more sense, because the question ask for simplify config. So Removing al Cryptomap config and the ACL tied to it, also applying that to the tunnel using the tunnel protection command.
B does not make sense as is calling for simplifying so using cryptomap on tunnels does not simplify and make ip sec profile useless.
Answer B can only be used to configure GRE Tunnel over an IPsec Tunnel and in this case, we don't need an IPsec profile just the crypto-map.
But in the question, we want to configure IPsec over a GRE Tunnel, so in this case, we need the following for IKE phase1 and IKE phase 2:
1- crypto isakmp policy
2- crypto isakmp key "in case of a pre-shared key defined in policy"
3- crypto isakmp transform-set
4- crypto ipsec profile.
Go to Interface:
-tunnel)# tunnel mode ipsec [ipv4/ipv6]
-tunnel)# tunnel protection ipsec profile [profile-Name]
C D.
"change the tunnel mode to tunnel mode IPsec ipv4." it's actually regarding Site-to-Site VTI over IPsec, not enabling IPsec over GRE using IPsec. page 462
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
xziomal9
Highly Voted 2 years, 7 months agoEddgar0
2 years agoiAbdullah
2 years, 6 months agoHamzaaa
Highly Voted 3 years agowr4net
Most Recent 11 months, 2 weeks agoHungarianDish
1 year agoWooker
1 year, 9 months agoPudu_vlad
1 year, 10 months agoAldebeer
2 years agoEddgar0
2 years agoaohashi
2 years, 2 months agozzmejce
2 years, 2 months agoNet91
2 years, 4 months agowwwwaaaa
2 years, 4 months agosharon90
2 years, 4 months agocyrus777
2 years, 5 months agoerror_909
2 years, 7 months agoHK010
2 years, 9 months agoDaniOcampo1992
2 years, 10 months ago