单选题Which statement is true regarding IPsec VPNs?（）A There are five phases of IKE negotiation.B There are two phases of IKE negotiation.C IPsec VPN tunnels are not supported on SRX Series devices.D IPsec VPNs require a tunnel PIC in SRX Series devices.

第1题：

第2题：

Which three features are benefits of using GRE tunnels in conjunction with IPsec for building site-to-site VPNs？（）

• A、allows dynamic routing over the tunnel
• B、supports multi-protocol （non-IP） traffic over the tunnel
• C、reduces IPsec headers overhead since tunnel mode is used
• D、simplifies the ACL used in the crypto map
• E、uses Virtual Tunnel Interface （VTI） to simplify the IPsec VPN configuration

第3题：

Which statement is true regarding NAT?（）

• A、NAT is not supported on SRX Series devices.
• B、NAT requires special hardware on SRX Series devices.
• C、NAT is processed in the control plane.
• D、NAT is processed in the data plane.

第4题：

What is true about Quality of Service （QoS） for VPNs？（）

• A、QoS preclassification is only supported on generic routing encapsulation （GRE） and IPsec VPNs
• B、QoS preclassification is not required in Layer 2 Tunneling Protocol （L2TP）， Layer2 Forwarding （L2F）， and Point-to-Point Tunneling Protocol （PPTP） VPNs
• C、QoS preclassification is supported on IPsec AH VPNs， but not on IPsec ESP VPNs
• D、the QoS-for-VPNs feature （QoS preclassification） is designed for VPN transport interfaces
• E、with IPsec tunnel mode， the type of service （ToS） byte value is copied automatically from the original IP header to the tunnel header

第5题：

You are configuring an SRX210 as a firewall enforcer that will tunnel IPsec traffic from several Junos Pulse users.Which two parameters must you configure on the SRX210?（）

• A、access profile
• B、IKE parameters
• C、tunneled interface
• D、redirect policy

第6题：

Which statement is true regarding IPsec VPNs?（）

• A、There are five phases of IKE negotiation.
• B、There are two phases of IKE negotiation.
• C、IPsec VPN tunnels are not supported on SRX Series devices.
• D、IPsec VPNs require a tunnel PIC in SRX Series devices.

第7题：

Regarding an IPsec security association （SA）， which two statements are true？（）

• A、IKE SA is bidirectional.
• B、IPsec SA is bidirectional.
• C、IKE SA is established during phase 2 negotiations.
• D、IPsec SA is established during phase 2 negotiations.

第8题：

Which two configuration elements are required for a route-based VPN？（）

• A、secure tunnel interface
• B、security policy to permit the IKE traffic
• C、a route for the tunneled transit traffic
• D、tunnel policy for transit traffic referencing the IPsec VPN

第9题：

第10题：

第11题：

第12题：

第13题：

IPSec VPN is a widely-acknowledged solution for enterprise network. Which three IPsec VPNstatements are true？（）

• A、IKE keepalives are unidirectional and sent every ten seconds
• B、IPsec uses the Encapsulating Security Protocol （ESP） or the Authentication Header （AH）protocol for exchanging keys
• C、To establish IKE SA, main mode utilizes six packets while aggressive mode utilizes only threepackets
• D、IKE uses the Diffie-Hellman algorithm to generate symmetrical keys to be used by IPsec peers

第14题：

What is not a difference between VPN tunnel authentication and per-user authentication?（）

• A、VPN tunnel authentication is part of the IKE specification. 
• B、VPN tunnel authentication does not control which end user can use the IPSec SA (VPN tunnel).
• C、User authentication is used to control access for a specific user ID, and can be used with or without a VPN tunnel for network access authorization. 
• D、802.1X with EAP-TLS (X.509 certificates) can be used to authenticate an IPSec tunnel.

第15题：

Which two configuration elements are required for a policy-based VPN？（）

• A、IKE gateway
• B、secure tunnel interface
• C、security policy to permit the IKE traffic
• D、security policy referencing the IPsec VPN tunnel

第16题：

To securely transport EIGRP traffic, a network administrator will build VPNs between sites. What is the best method to accomplish the transport of EIGRP traffic?（）

• A、IPSec in tunnel mode
• B、IPSec in transport mode
• C、GRE with IPSec in transport mode
• D、GRE with IPSec in tunnel mode

第17题：

You are installing a MAG Series device for access control using an SRX Series device as the firewall enforcer. The MAG Series device resides in the same security zone as users. However, the users reside in different subnets and use the SRX Series device as an IP gateway.Which statement is true?（）

• A、You must configure a security policy on the SRX Series device to allow traffic to flow from the user devices to the MAG Series device.
• B、No security policy is necessary on the SRX Series device to allow traffic to flow from the user devices to the MAG Series device.
• C、You must configure host-inbound traffic on the SRX Series device to allow SSL traffic between the MAG Series device and the user devices.
• D、You must configure host-inbound traffic on the SRX Series device to allow EAP traffic between the MAG Series device and the user devices.

第18题：

An IPsec tunnel is established on an SRX Series Gateway on an interface whose IP address was obtained using DHCP.Which two statements are true? （）(Choose two.)

• A、Only main mode can be used for IKE negotiation
• B、A local-identity must be defined
• C、It must be the initiator for IKE
• D、A remote-identity must be defined

第19题：

Which statement is true regarding the Junos OS for security platforms?（）

• A、SRX Series devices can store sessions in a session table.
• B、SRX Series devices accept all traffic by default.
• C、SRX Series devices must operate only in packet-based mode.
• D、SRX Series devices must operate only in flow-based mode.

第20题：

第21题：

第22题：

第23题：