You are asked to implement a monitoring feature that periodically verifies that the data
plane is working across your IPsec VPN. Which configuration will accomplish this task?
A.
[edit security ike] user@srx# show policy policy-1 { mode main; proposal-set standard;
pre-shared-key ascii-text “$9$URiqPFnCBIc5QIcylLXUjH”; ## SECRET-DATA } gateway
my-gateway { ike-policy policy-1; address 10.10.10.2; vpn-monitor; external-interface
ge-0/0/1; }
B.
[edit security ipsec] user@srx# show policy policy-1 { proposal-set standard; } vpn
my-vpn { bind-interface st0.0; vpn-monitor; ike { gateway my-gateway; ipsec-policy policy-1;
} establish-tunnels immediately; }
C.
[edit security ike] user@srx# show policy policy-1 { mode main; proposal-set standard;
pre-shared-key ascii-text “$9$URiqPFnCBIc5QIcylLXUjH”; ## SECRET-DATA } gateway
my-gateway { ike-policy policy-1; address 10.10.10.2; dead-peer-detection;
external-interface ge-0/0/1; }
D.
[edit security ipsec] user@srx# show policy policy-1 { proposal-set standard; } vpn
my-vpn { bind-interface st0.0; dead-peer-detection; ike { gateway my-gateway; ipsec-policy
policy-1; } establish-tunnels immediately; }
VPN monitor and establish tunnels immediately are the key parts to this answer.
VPN Monitor is configured under the VPN (not the gateway), as well as establish-tunnels
Version: 15.1X49-D75.5
# set security ipsec vpn test ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don’t inherit configuration data from these groups
bind-interface Bind to tunnel interface (route-based VPN)
copy-outer-dscp Enable coping outer IP header DSCP and ECN to inner IP header
df-bit Specifies how to handle the Don’t Fragment bit
establish-tunnels Define the criteria to establish tunnels
> ike Define an IKE-keyed IPSec vpn
> manual Define a manual security association
> traffic-selector Traffic selector
> vpn-monitor Monitor VPN liveliness