Which of the following ISAKMP states indicates that the…

Which of the following ISAKMP states indicates that the IKE peers have negotiated security parameters and
exchanged keys using aggressive mode during phase 1 of the IKE process? (Select the best answer.)

Which of the following ISAKMP states indicates that the IKE peers have negotiated security parameters and
exchanged keys using aggressive mode during phase 1 of the IKE process? (Select the best answer.)

A.
AG_INIT_EXCH

B.
MM_KEY_EXCH

C.
MM_SA_SETUP

D.
QM_IDLE

Explanation:
The AG_INIT_EXCH Internet Security Association and Key Management Protocol (ISAKMP) state indicates
that the Internet Key Exchange (IKE) peers have negotiated security parameters and exchanged keys using
aggressive mode during phase 1 of the IKE process. Aggressive mode uses only three transactions to perform
the same IKE security negotiations that main mode performs in six transactions.
The QM_IDLE state does not indicate that the IKE peers have negotiated security parameters and exchanged
keys using aggressive mode during phase 1 of the IKE process. The QM_IDLE state indicates that an IKE
security association (SA) has been authenticated. You can issue the show crypto isakmp sa command from
privileged EXEC mode to determine the status of current IKE SAs on the router. You can specify the active or
standby keywords to limit the type of SA displayed in the output. Standby SAs are present when fault tolerance
is configured? however, they are inactive until a failover occurs. The status of an IKE SA is reflected in the state
field of the command output as shown below:
dst src state connid slot status
10.1.2.3 10.1.2.4 QM_IDLE 2 0 STDBY
10.3.2.1 10.3.2.4 QM_IDLE 1 0 ACTIVE
The QM_IDLE state indicates that IKE phase 1 negotiations have successfully completed and that an IKE SA
has been authenticated and is available for use. IKE SAs are used during the quick mode of the IKE process,
which is also referred to as IKE phase 2, to facilitate the creation of IP Security (IPSec) SAs. IPSec SA status is
not displayed by the show crypto isakmp sa command? you can issue the show crypto ipsec sa command to
determine the status of the IPSec SAs created during phase 2 negotiations.
The MM_SA_SETUP state does not indicate that the IKE peers have negotiated security parameters and
exchanged keys using aggressive mode during phase 1 of the IKE process. The MM_SA_SETUP state
indicates that the IKE peers are using main mode for phase 1 negotiations and that they have successfully
negotiated security parameters. IKE has two modes for phase 1 security negotiation: main mode and
aggressive mode. Main mode uses six transactions for IKE peers to negotiate security parameters, generate a
shared secret, and authenticate. Aggressive mode performs the same actions in three consolidated
transactions.
Similarly, the MM_KEY_EXCH state indicates that the IKE peers are using main mode for phase 1
negotiations? it does not indicate that the IKE peers have negotiated security parameters and exchanged keys
using aggressive mode during phase 1 of the IKE process. The MM_KEY_EXCH state indicates that the IKE
peers have exchanged keys and have generated a shared secret. IKE peers use the DiffieHellman (DH)
algorithm to exchange public keys and to generate a shared secret. The shared secret and public keys are
used during the authentication process, which is the final part of phase 1 main mode.

Cisco: Cisco IOS Security Command Reference: show crypto isakmp sa



Leave a Reply 0

Your email address will not be published. Required fields are marked *