[OSL | CCIE_Security] GET VPN KEK/TEK

Thu, 24 Feb 2011 10:27:12 -0800 

Hi Kings, Tyson and all,

Could you please clarify me on the below questions.

1) when a question asked to configure two contexts one name with Admin, do
we still create new context as admin or use the default admin context..

2) also when you make the config-url admin, I could see there are two .cfg
files, can this both files exsit?

Context Name      Class      Interfaces           URL
*admin            default                         disk0:/admin.cfg
 Admin            default    Ethernet0/1.4,22,Redundant1 disk0:/admin.cfg
 R1               default    Ethernet0/1.3,22,Redundant1 disk0:/r1.cfg

3)  What are the KEK and TEK policies, what attributes should include each
policies, when I check 'show crypto gdoi group' I could see only the TEK
policiy as bellow, where is the KEK..?

GROUP INFORMATION
    Group Name               : mygroup
    Group Identity           : 40
    Rekeys received          : 0
    IPSec SA Direction       : Both
    Active Group Server      : x.x.3.1
    Group Server list        : x.x.3.1

    GM Reregisters in        : 3030 secs
    Rekey Received           : never

    Rekeys received
         Cumulative          : 0
         After registration  : 0

 ACL Downloaded From KS x.x.3.1:
   access-list  permit ip host 222.222.222.222 host 40.40.33.3
   access-list  permit ip host 40.40.33.3 host 222.222.222.222

TEK POLICY for the current KS-Policy ACEs Downloaded:
  FastEthernet0/1:
    IPsec SA:
        spi: 0x74CA5CCB(1959419083)
        transform: esp-3des esp-md5-hmac
        sa timing:remaining key lifetime (sec): (3157)
        Anti-Replay : Disabled

4) Does FPM works on sub-interfaces..?. I have configured FPM on router
(2811, IOS 12.4(15)T12) and applied the service policy to sub interface
denying large icmp packets..but when I ping with packet size 3000 still I
was able to get the reply...

5) when there's a situation that same interface shared between, two context,
and the question is not ask about mac-address, should we configure
'mac-address auto' command always..?

6) when we configure CA server, is it required to set the clock,  or its
just as best practise..because it is still working with the current clock
time.?

7) what is crl life time when configuring CA server..?

Thanks in advance...

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to