Configure a FlexVPN site-to-site GRE/IP sec tunnel.

SIMULATION
Configure a FlexVPN site-to-site GRE/IP sec tunnel.

SIMULATION
Configure a FlexVPN site-to-site GRE/IP sec tunnel.

Answer: See the explanation

Explanation:
Here are the steps as below:
Step 1: configure key ring
crypto ikev2 keyring mykeys
peer SiteB.cisco.com
address 209.161.201.1
pre-shared-key local $iteA
pre-shared key remote $iteB
Step 2: Configure IKEv2 profile
Crypto ikev2 profile default
identity local fqdn SiteA.cisco.com
Match identity remote fqdn SiteB.cisco.com
Authentication local pre-share
Authentication remote pre-share
Keyring local mykeys
Step 3: Create the GRE Tunnel and apply profile
crypto ipsec profile default
set ikev2-profile default
Interface tunnel 0
ip address 10.1.1.1 255.255.255.0
Tunnel source eth 0/0
Tunnel destination 209.165.201.1
tunnel protection ipsec profile default
end

Show Hint

Leave a Reply 5

Your email address will not be published. Required fields are marked *

nineteen − 9 =

Krish

Krish

The question is also asking for an IKEv2 proposal that is not shown with the current answer.

Reply

Jaghi

Jaghi

Missed Part:

crypto ikev2 proposal Propposal-2
encryption aes-cbc-128
integrity sha1
group 5

Reply

Jaghi

Jaghi

We need to add a ikev2 policy to call the proposal otherwise it’s using the default proposal.

R1#sh crypto ikev2 proposal
IKEv2 proposal: Propposal-2
Encryption : AES-CBC-128
Integrity : SHA96
PRF : SHA1
DH Group : DH_GROUP_1536_MODP/Group 5
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

crypto ikev2 policy test
proposal Propposal-2

I suggest don’t add the policy at first, at the end if they are using default proposal add the test policy to call the Propposal-2.

Reply

Łukasz Stefan

Łukasz Stefan

New 300-209 Exam Questions Updated Recently (4/July/2017):

NEW QUESTION 293
A company has a Flex VPN solution for remote access and one of their Cisco any Connect remote clients is having trouble connecting property. Which command verifies that packets are being encrypted and decrypted?

A. show crypto session active
B. show crypto ikev2 stats
C. show crypto ikev1 sa
D. show crypto ikev2 sa
E. show crypto session detail

Answer: E

NEW QUESTION 294
Refer to the exhibit, which result of this command is true?

A. Makes the router generate a certificate signing request
B. Generates an RSA key called TRIALFOUR
C. It displays the RSA public keys of the router
D. It specifies self- signed enrollment for a trust point

Answer: A

NEW QUESTION 295
An engineer is attempting to establish a new site-to-site VPN connection. The tunnel terminates on an ASA 5506-X which is behind an ASA 5515-X. The engineer notices that the tunnel is not establishing. Which option is a potential cause?

A. Certificates were not configured
B. Diffie – Helman Group is not set
C. Access lists were not applied
D. NAT – traversal is not configured

Answer: D

NEW QUESTION 296
Which algorithm does ISAKMP use to securely derive encryption and integrity keys?

A. Diffie – Hellman
B. AES
C. ECDSA
D. RSA
E. 3DES

Answer: D

NEW QUESTION 297
Which purpose of configuring perfect Forward secret is true?

A. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase 2 keys.
B. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase 1 keys.
C. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase 1 keys.
D. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase 2 keys.

Answer: A

NEW QUESTION 298
An engineer has successfully established a phase 1 tunnel, but notices that no packets are decrypted on the head end side of the tunnel. What is a potential cause for this issue?

A. different phase 2 encryption
B. misconfigured DH group
C. disabled PFS
D. firewall blocking Phase 2 ESP or AH

Answer: A

NEW QUESTION 299
Which option describes traffic that will initiate a VPN connection?

A. trusted
B. external
C. internal
D. interesting

Answer: D

NEW QUESTION 300
……

P.S. These New 300-209 Exam Questions Were Just Updated From The Real 300-209 Exam, You Can Get The Newest 300-209 Dumps In PDF And VCE From — http://www.passleader.com/300-209.html (307q VCE and PDF)

Good Luck!

Reply