There are five phases of IKE negotiation.
There are two phases of IKE negotiation.
IPsec VPN tunnels are not supported on SRX Series devices.
IPsec VPNs require a tunnel PIC in SRX Series devices.
第1题:
A. [edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; }policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { interface ge-0/0/1.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; }
B. [edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; } policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { interface st0.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; }
C. [edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200;} policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { bind-interface ge-0/0/1.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; }
D. [edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; }policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { bind-interface st0.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; }
第2题:
Which three features are benefits of using GRE tunnels in conjunction with IPsec for building site-to-site VPNs?()
第3题:
Which statement is true regarding NAT?()
第4题:
What is true about Quality of Service (QoS) for VPNs?()
第5题:
You are configuring an SRX210 as a firewall enforcer that will tunnel IPsec traffic from several Junos Pulse users.Which two parameters must you configure on the SRX210?()
第6题:
Which statement is true regarding IPsec VPNs?()
第7题:
Regarding an IPsec security association (SA), which two statements are true?()
第8题:
Which two configuration elements are required for a route-based VPN?()
第9题:
NAT is not supported on SRX Series devices.
NAT requires special hardware on SRX Series devices.
NAT is processed in the control plane.
NAT is processed in the data plane.
第10题:
IKE gateway
secure tunnel interface
security policy to permit the IKE traffic
security policy referencing the IPsec VPN tunnel
第11题:
QoS preclassification is only supported on generic routing encapsulation (GRE) and IPsec VPNs
QoS preclassification is not required in Layer 2 Tunneling Protocol (L2TP), Layer2 Forwarding (L2F), and Point-to-Point Tunneling Protocol (PPTP) VPNs
QoS preclassification is supported on IPsec AH VPNs, but not on IPsec ESP VPNs
the QoS-for-VPNs feature (QoS preclassification) is designed for VPN transport interfaces
with IPsec tunnel mode, the type of service (ToS) byte value is copied automatically from the original IP header to the tunnel header
第12题:
IPSec in tunnel mode
IPSec in transport mode
GRE with IPSec in transport mode
GRE with IPSec in tunnel mode
第13题:
IPSec VPN is a widely-acknowledged solution for enterprise network. Which three IPsec VPNstatements are true?()
第14题:
What is not a difference between VPN tunnel authentication and per-user authentication?()
第15题:
Which two configuration elements are required for a policy-based VPN?()
第16题:
To securely transport EIGRP traffic, a network administrator will build VPNs between sites. What is the best method to accomplish the transport of EIGRP traffic?()
第17题:
You are installing a MAG Series device for access control using an SRX Series device as the firewall enforcer. The MAG Series device resides in the same security zone as users. However, the users reside in different subnets and use the SRX Series device as an IP gateway.Which statement is true?()
第18题:
An IPsec tunnel is established on an SRX Series Gateway on an interface whose IP address was obtained using DHCP.Which two statements are true? ()(Choose two.)
第19题:
Which statement is true regarding the Junos OS for security platforms?()
第20题:
[edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; }policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { interface ge-0/0/1.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; }
[edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; } policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { interface st0.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; }
[edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200;} policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { bind-interface ge-0/0/1.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; }
[edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; }policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { bind-interface st0.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; }
第21题:
You must configure a security policy on the SRX Series device to allow traffic to flow from the user devices to the MAG Series device.
No security policy is necessary on the SRX Series device to allow traffic to flow from the user devices to the MAG Series device.
You must configure host-inbound traffic on the SRX Series device to allow SSL traffic between the MAG Series device and the user devices.
You must configure host-inbound traffic on the SRX Series device to allow EAP traffic between the MAG Series device and the user devices.
第22题:
access profile
IKE parameters
tunneled interface
redirect policy
第23题:
secure tunnel interface
security policy to permit the IKE traffic
a route for the tunneled transit traffic
tunnel policy for transit traffic referencing the IPsec VPN