RouterA is configured to establish an IKE tunnel with RouterB. You issue the show crypto isakmp sa command
on RouterA and receive the following output:
dst src state connid slot
10.1.2.3 10.1.2.4 MM_SA_SETUP 1 0
Which of the following statements is true? (Select the best answer.)
A.
RouterA has negotiated ISAKMP SA parameters with RouterB.
B.
RouterA has exchanged keys with RouterB.
C.
RouterA has generated a shared secret.
D.
RouterA uses three transactions to negotiate an ISAKMP SA.
E.
RouterA has established an active IKE SA.
Explanation:
RouterA has negotiated Internet Security Association and Key Management Protocol (ISAKMP) security
association (SA) parameters with RouterB. The show crypto isakmp sa command displays the status of current
Internet Key Exchange (IKE) SAs on the router. The MM_SA_SETUP state indicates that the IKE peers are
using main mode for phase 1 negotiations and that they have successfully negotiated security parameters. IKE
has two modes for phase 1 security negotiation: main mode and aggressive mode. The following states are
used during main mode:
– MM_NO_STATE – The peers have created the SA.
– MM_SA_SETUP – The peers have negotiated SA parameters.
– MM_KEY_EXCH – The peers have exchanged DiffieHellman (DH) keys and have generated a shared secret.
– MM_KEY_AUTH – The peers have authenticated the SA.
The following states are used during aggressive mode:
– AG_NO_STATE – The peers have created the SA.
– AG_INIT_EXCH – The peers have negotiated SA parameters and exchanged keys.
– AG_AUTH – The peers have authenticated the SA.
Quick mode is used during IKE phase 2. The only state in quick mode is QM_IDLE, which indicates that IKE
phase 1 has completed successfully and that there is an active IKE SA between peers.
Because RouterA is using main mode, RouterA requires six transactions, not three, to negotiate an ISAKMP
SA. Main mode requires six transactions for IKE peers to negotiate security parameters, generate a shared
secret, and mutually authenticate. Aggressive mode requires only three transactions to negotiate security
parameters, establish a key management tunnel, and mutually authenticate.
RouterA has not yet exchanged keys with RouterB or generated a shared secret. Key exchange and shared
secret generation occurs during the MM_KEY_EXCH state.Cisco: Cisco IOS Security Command Reference: show crypto isakmp sa