IKE Quiz

Questions and Answers

Which SA is negotiated during phase 1?

• Both IKE SA and IPsec SA
• Neither IKE SA nor IPsec SA
• IPsec SA
• IKE SA (correct)

Which SA is used for encrypting the data sent through the tunnel?

• IPsec SA (correct)
• Neither IKE SA nor IPsec SA
• IKE SA
• Both IKE SA and IPsec SA

Which version of IKE is considered the legacy version?

• Both IKE-v1 and IKE-v2
• IKE-v1 (correct)
• Neither IKE-v1 nor IKE-v2
• IKE-v2

Which version of IKE is considered simpler to operate?

IKE-v2 (C)

Which version of IKE exclusively supports the network ID feature?

IKE-v2 (C)

Which version of IKE is best suited for SD-WAN deployments?

IKE-v2 (A)

Which version of IKE supports denying access to spokes without using a certificate signature?

IKE-v1 (A)

Which version of IKE supports establishing multiple AD-VPN shortcuts between the same pair of local and remote gateway addresses?

IKE-v2 (D)

Which version of IKE is often preferred for security-wise deployments?

IKE-v2 (C)

Which topology is commonly used in SD-WAN deployments using IPsec overlays?

Hub-and-spoke topology (A)

Which protocol negotiates the private keys, authentication method, and encryption for creating an IPsec tunnel?

IKE-v2 (B)

What is the outcome of Phase 1 in IKE?

IKE SA (C)

What is the outcome of Phase 2 in IKE?

IPsec SA (B)

Which version of IKE is known for its wider adoption and is considered legacy?

IKE-v1 (B)

Which version of IKE is known for its simpler operation, more features, and increasing adoption?

IKE-v2 (C)

Which version of IKE is usually preferred for SD-WAN and has a network ID feature for AD-VPN?

IKE-v2 (A)

What are SAs in the context of IPsec?

Security Associations (C)

What happens if both sides cannot agree on the security rules for sending data and verifying each other's identity in an IPsec tunnel?

The tunnel is terminated (D)

What needs to happen when SAs expire in an IPsec tunnel?

They need to be renewed (D)

How many distinct phases does IKE use?

2 (D)

Which direction is most of the IPsec overlay traffic initiated from?

Spoke to hub (A)

Where are the workloads located that are protected by the hub?

On both the hub and the spokes (C)

Why is SD-WAN usually deployed on the spokes only?

Because most of the traffic is initiated in the spoke-to-hub direction (B)

In which direction is traffic also initiated, requiring SD-WAN on the hub side?

Hub to spoke (B)

What routing protocol is used to exchange routing information through the overlays?

BGP (B)

What are the IP subnets used for the overlays established over the ISP1 underlay?

10.201.1.0/24 (B)

What are the IP subnets used for the overlays established over the ISP2 underlay?

10.202.1.0/24 (A)

What is the goal for all sites in terms of exchanging prefixes over overlays?

To exchange prefixes over all available overlays (B)

Why is dynamic routing preferred over static routing in this scenario?

Because of scalability reasons and AD-VPN requirements (B)

What is AD-VPN?

A type of VPN that uses dynamic routing (C)