What is the configuration problem with the tunnel?

— Exhibit –-
user@host> show security ike security-associations 1.1.1.2
Index Remote Address State Initiator cookie Responder cookie Mode
8 1.1.1.2 UP 3a895f8a9f620198 9040753e66d700bb Main
user@host> show security ipsec security-associations
Total active tunnels: 0
user@host> show route
inet.0: 7 destinations, 7 routes (6 active, 0 holddown, 1 hidden)
+ = Active Route, – = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:25

> to 2.2.2.1 via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:00:25
> via ge-0/0/0.0
2.2.2.2/32 *[Local/0] 00:00:25
Local via ge-0/0/0.0
10.1.1.0/30 *[Direct/0] 00:06:06
> via st0.0
10.1.1.1/32 *[Local/0] 00:06:06
Local via st0.0
10.12.1.0/24 *[Direct/0] 00:06:06
> via ge-0/0/1.0
10.12.1.1/32 *[Local/0] 00:06:06
Local via ge-0/0/1.0
10.128.64.0/24 *[Static/5] 00:00:25
> to 2.2.2.1 via ge-0/0/0.0
user@host> show security policies
Default policy: deny-all
From zone: trust, To zone: vpn
Policy: permit-all, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit

— Exhibit –-
Refer to the Exhibit.
You have created an IPsec VPN on an SRX Series device. You believe the tunnel is configured

correctly, but traffic from a host with the IP address of 10.12.1.10 cannot reach a remote device
over the tunnel with an IP address of 10.128.64.132. The ge-0/0/1.0 interface is in the trust zone
and the st0.0 interface is in the vpn zone. The output of four show commands is shown in the
exhibit.
What is the configuration problem with the tunnel?

— Exhibit –-
user@host> show security ike security-associations 1.1.1.2
Index Remote Address State Initiator cookie Responder cookie Mode
8 1.1.1.2 UP 3a895f8a9f620198 9040753e66d700bb Main
user@host> show security ipsec security-associations
Total active tunnels: 0
user@host> show route
inet.0: 7 destinations, 7 routes (6 active, 0 holddown, 1 hidden)
+ = Active Route, – = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:25

> to 2.2.2.1 via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:00:25
> via ge-0/0/0.0
2.2.2.2/32 *[Local/0] 00:00:25
Local via ge-0/0/0.0
10.1.1.0/30 *[Direct/0] 00:06:06
> via st0.0
10.1.1.1/32 *[Local/0] 00:06:06
Local via st0.0
10.12.1.0/24 *[Direct/0] 00:06:06
> via ge-0/0/1.0
10.12.1.1/32 *[Local/0] 00:06:06
Local via ge-0/0/1.0
10.128.64.0/24 *[Static/5] 00:00:25
> to 2.2.2.1 via ge-0/0/0.0
user@host> show security policies
Default policy: deny-all
From zone: trust, To zone: vpn
Policy: permit-all, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit

— Exhibit –-
Refer to the Exhibit.
You have created an IPsec VPN on an SRX Series device. You believe the tunnel is configured

correctly, but traffic from a host with the IP address of 10.12.1.10 cannot reach a remote device
over the tunnel with an IP address of 10.128.64.132. The ge-0/0/1.0 interface is in the trust zone
and the st0.0 interface is in the vpn zone. The output of four show commands is shown in the
exhibit.
What is the configuration problem with the tunnel?

A.
Only one IKE tunnel exists so there is no path for return IKE traffic. You need to allow IKE
inbound on interface ge-0/0/0.0.

B.
Because there are no IPsec security associations, the problem is in the IPsec proposal settings.

C.
The static route created to reach the remote host is incorrect.

D.
The VPN settings are correct, the traffic is being blocked by a security policy.



Leave a Reply 2

Your email address will not be published. Required fields are marked *


Khurram Aziz

Khurram Aziz

Can anyone shed some light over this answer.?? How come its C?

Nerd

Nerd

Traffic needs to be directed into a st, not a ge interface