D is correct. FortiGate_Infrastructure_6.4 page 231
"Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic.
The right answer is D, this is why:
Page 230 FortiGate Infrastructure 6.4 Study Guide
Auto-negotiate. When you do this, Fortigate not only
negotiates new SAs before the current SAs expire, but it
also start using the new SAs right away. The latter prevents
traffic disruption by IPsec SA renegotiation.
On Answer B "FortiGate automatically negotiates a new security association after the existing security association expires." they claim that negotiation happens after SAs expires and not before as is written on FortiGate Infrastructure 6.4 Study Guide page 230.
Also on the same page they say:
Another benefit of enabling Auto-negotiate is that the tunnel comes
up and stays up automatically, even when there is not interesting traffic.
Which makes me think that the right answer is D.
D should be correct.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/156465/configuring-phase-2-parameters
They ask the effect, this ultimately takes the tunnel up.
"Another benefit", not an "effect".
Enabling Auto-negotiate will enable Auto-Keep Alive and as a benefit, the tunnel comes up and stays up.
The effect is: SA negotiation when it expires.
The answer is B.
The catch is "When the existing SA expires" The auto-negotiate negotiates for SA even before the existing SA expires. Fortigate Infrastructure page 231. The correct answer is D
B. Life-span of SA is often shorter than the data tranfer session, as a result multiple Phase2 SAs are negotiated. When there's zero data transfer, Phase 2 SA doesn't get negotiated and existing one expires, bringing the tunnel down. When data transfer resumes, first the peers negotiate a new SA. In short Phase 1 is to authenticate and protect Peering, Phase 2 is for data Transfer.
The Answer is B.
The key point in the question is "auto-negotiate"
Auto-negotiate: Enable the option to automatically renegotiate the tunnel when the tunnel expires.
By default, the phase 2 security association (SA) is not negotiated until a peer attempts to send data. The triggering packet and some subsequent packets are dropped until the SA is established.
Applications normally resend this data, so there is no loss, but there might be a noticeable delay in response to the user.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepalive/ta-p/189536?externalID=12069
I think C is very generic, IPsec tunnel consist of 2 phases and 2 SA. Yes it brings the tunnel up but this is happening because it is auto negotiating the 2nd SA if there's no traffic passing through the tunnel and the 2nd is expired. So I stick with B.
Acredito que a questão está deixando margem a dúvidas e, neste sentido, a mais correta é a D. Na B tem documentação informando que é depois de expirado o SA, já outra cita que antes de expirar o SA faz a negociação. Na D, fiz um teste usando dois FortiGate-VM sem hosts atrás (ou seja, sem tráfego), interligado através de um router. Ao desconectar a interface do router, após aproximadamente 60 segundos o túnel cai. Conectando novamente a interface o túnel não sobe (lembrem que não tem hosts atrás dos FGT gerando tráfego). Ao habilitar Auto-negotiate, quando reconecto a interface do router o túnel sobe. Isso levar ao texto da letra D, por tanto neste cenário duvidoso me parece a mais certa.
I believe the answer is B:
https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/604285/phase-2-configuration#auto
By default, the phase 2 security association (SA) is not negotiated until a peer attempts to send data. The triggering packet and some subsequent packets are dropped until the SA is established. Applications normally resend this data, so there is no loss, but there might be a noticeable delay in response to the user.
If the tunnel goes down, the auto-negotiate feature (when enabled) attempts to re-establish the tunnel. Auto-negotiate initiates the phase 2 SA negotiation automatically, repeating every five seconds until the SA is established.
Automatically establishing the SA can be important for a dialup peer. It ensures that the VPN tunnel is available for peers at the server end to initiate traffic to the dialup peer. Otherwise, the VPN tunnel does not exist until the dialup peer initiates traffic.
B - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepalive/ta-p/189536
If the tunnel goes down, the auto-negotiate feature (when enabled) attempts to re-establish the tunnel.
Auto-negotiate initiates the phase 2 SA negotiation automatically, repeating every five seconds until the SA is established.
It is B.
https://kb.fortinet.com/kb/documentLink.do?externalID=12069
Auto-negotiate.
By default, the phase 2 security association (SA) is not negotiated until a peer attempts to send data. --> This means that when the IPSEC SA expires, the phase2 remains down "UNTIL" new interesting traffic triggers the negotiation for new IPSEC SA.
But, if you enable "Auto-negotiate", as soon as the IPSEC SA expires, the "Auto-negotiate" feature will negotiate new one and start using it. So, this process will bring up the tunnel again, even if there is no interesting traffic.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Lionardo
Highly Voted 4 years agoRVE
3 years, 7 months agoThanos84
3 years, 7 months agonimvoltage
3 years, 7 months agoSeph1
3 years, 7 months ago2021gene
3 years, 7 months agoShieshalom
3 years, 1 month agoCyril_the_Squirl
Highly Voted 4 years agoredSTORM
Most Recent 1 year, 12 months agoGarry_G
2 years agosintesinet
2 years, 7 months agoatiles05
2 years, 7 months agoDirectly_Connected
2 years, 8 months agoAbdulazizas96
3 years agoibos8383
3 years agoSandroAlex
3 years, 1 month agopython_tamer
3 years, 2 months agolrosadini
3 years, 3 months agoblahblah1234567890000
3 years, 3 months agokkched
3 years, 3 months agoacaselli
3 years, 4 months agoRman0059
3 years, 5 months agomorningstar
3 years, 6 months ago