See inline
-B (now back to work)
From: [email protected]
[mailto:[email protected]] On Behalf Of Pemasiri
Devanarayana
Sent: Thursday, February 24, 2011 12:18 PM
To: Kingsley Charles; Tyson Scott; [email protected]
Subject: [OSL | CCIE_Security] GET VPN KEK/TEK
Hi Kings, Tyson and all,
Could you please clarify me on the below questions.
1) when a question asked to configure two contexts one name with Admin, do
we still create new context as admin or use the default admin context..
Context are case sensitive, so I would go for the case. But during the test
this is one of those ask the proctor kind of things.
2) also when you make the config-url admin, I could see there are two .cfg
files, can this both files exsit?
Context Name Class Interfaces URL
*admin default disk0:/admin.cfg
Admin default Ethernet0/1.4,22,Redundant1 disk0:/admin.cfg
R1 default Ethernet0/1.3,22,Redundant1 disk0:/r1.cfg
Context are case sensitive, yes but only one is an admin context.
3) What are the KEK and TEK policies, what attributes should include each
policies, when I check 'show crypto gdoi group' I could see only the TEK
policiy as bellow, where is the KEK..?
GROUP INFORMATION
Group Name : mygroup
Group Identity : 40
Rekeys received : 0
IPSec SA Direction : Both
Active Group Server : x.x.3.1
Group Server list : x.x.3.1
GM Reregisters in : 3030 secs
Rekey Received : never
Rekeys received
Cumulative : 0
After registration : 0
ACL Downloaded From KS x.x.3.1:
access-list permit ip host 222.222.222.222 host 40.40.33.3
access-list permit ip host 40.40.33.3 host 222.222.222.222
TEK POLICY for the current KS-Policy ACEs Downloaded:
FastEthernet0/1:
IPsec SA:
spi: 0x74CA5CCB(1959419083)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (3157)
Anti-Replay : Disabled
KEK between key server and GM, see the following link for more information:
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_encrypt_trns_vpn_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1140453
4) Does FPM works on sub-interfaces..?. I have configured FPM on router (2811,
IOS 12.4(15)T12) and applied the service policy to sub interface denying large
icmp packets..but when I ping with packet size 3000 still I was able to get the
reply...
This was answered by Tyson a few days ago, search for an email with subject
"Whats wrong with this FPM?"
5) when there's a situation that same interface shared between, two context,
and the question is not ask about mac-address, should we configure 'mac-address
auto' command always..?
Yes.
6) when we configure CA server, is it required to set the clock, or its just
as best practise..because it is still working with the current clock time.?
Yes, it's one of the requirements.
7) what is crl life time when configuring CA server..?
Not sure what you're asking but the default is lifetime for a crl is 1 week.
Thanks in advance...
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
