Which two statements are true concerning policy-based IPsec VPNs on an SRX Series device?

Which two statements are true concerning policy-based IPsec VPNs on an SRX Series device? (Choose two)

Which two statements are true concerning policy-based IPsec VPNs on an SRX Series device? (Choose two)

A.
A new tunnel is set up for each flow of traffic that matches the policy.

B.
One tunnel is set up for all flows of traffic that match the policy.

C.
A new tunnel is set up before a flow of traffic matches the policy.

D.
A new tunnel is set up only when a flow of traffic matches the policy.



Leave a Reply 3

Your email address will not be published. Required fields are marked *


3abdontha3if

3abdontha3if

According to JNCIS-SEC study-guide I think it should be A and D

Shahid

Shahid

Y I think this is the correct sequence:
Policy-based VPNs are required when one endpoint of the tunnel uses dynamic addressing.
For policy-based IPsec VPNs, a new tunnel generates for each flow of traffic that
matches the policy.

Policy match and tunnel establishment:
The Junos OS looks up the security policy. The traffic matches a tunnel policy. The original packet receives encryption.

The Junos OS hashes the packet with an authentication key.

The Junos OS builds the tunnel packet with a new IP header, IPsec header, and hash value. The new packet travels to the tunnel peer.

Dilip Kumar

Dilip Kumar

A & D

Route-based VPN tunnel configuration is a good choice when you want to conserve tunnel resources while setting granular restrictions on VPN traffic.

With a policy-based VPN, although you can create numerous tunnel policies referencing the same VPN tunnel, each tunnel policy pair creates an individual IPsec security association (SA) with the remote peer. Each SA counts as an individual VPN tunnel.

http://www.juniper.net/techpubs/en_US/junos12.3/topics/concept/policy-based-route-based-vpn-comparing.html