NTP is required for certification validation process to go smoothly. The KEK and TEK includes the polices that are used for encryption and decryption. On KS, issue "sh crypto gdoi ks policy", you can see them.
With regards Kings On Fri, Feb 25, 2011 at 12:49 AM, Basem Hanna <[email protected]>wrote: > See inline > > -B (now back to work) > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Pemasiri > Devanarayana > *Sent:* Thursday, February 24, 2011 12:18 PM > *To:* Kingsley Charles; Tyson Scott; [email protected] > *Subject:* [OSL | CCIE_Security] GET VPN KEK/TEK > > > > Hi Kings, Tyson and all, > > > > Could you please clarify me on the below questions. > > > > 1) when a question asked to configure two contexts one name with > Admin, do we still create new context as admin or use the default admin > context.. > > > > Context are case sensitive, so I would go for the case. But during the test > this is one of those ask the proctor kind of things. > > > > 2) also when you make the config-url admin, I could see there are two .cfg > files, can this both files exsit? > > > > Context Name Class Interfaces URL > > *admin default disk0:/admin.cfg > > Admin default Ethernet0/1.4,22,Redundant1 disk0:/admin.cfg > > R1 default Ethernet0/1.3,22,Redundant1 disk0:/r1.cfg > > > > Context are case sensitive, yes but only one is an admin context. > > > > 3) What are the KEK and TEK policies, what attributes should include each > policies, when I check 'show crypto gdoi group' I could see only the TEK > policiy as bellow, where is the KEK..? > > > > GROUP INFORMATION > > Group Name : mygroup > > Group Identity : 40 > > Rekeys received : 0 > > IPSec SA Direction : Both > > Active Group Server : x.x.3.1 > > Group Server list : x.x.3.1 > > > > GM Reregisters in : 3030 secs > > Rekey Received : never > > > > Rekeys received > > Cumulative : 0 > > After registration : 0 > > > > ACL Downloaded From KS x.x.3.1: > > access-list permit ip host 222.222.222.222 host 40.40.33.3 > > access-list permit ip host 40.40.33.3 host 222.222.222.222 > > > > TEK POLICY for the current KS-Policy ACEs Downloaded: > > FastEthernet0/1: > > IPsec SA: > > spi: 0x74CA5CCB(1959419083) > > transform: esp-3des esp-md5-hmac > > sa timing:remaining key lifetime (sec): (3157) > > Anti-Replay : Disabled > > > > > > KEK between key server and GM, see the following link for more information: > > http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_encrypt_trns_vpn_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1140453 > > > > 4) Does FPM works on sub-interfaces..?. I have configured FPM on router > (2811, IOS 12.4(15)T12) and applied the service policy to sub interface > denying large icmp packets..but when I ping with packet size 3000 still I > was able to get the reply... > > > > This was answered by Tyson a few days ago, search for an email with subject > “Whats wrong with this FPM?” > > > > 5) when there's a situation that same interface shared between, two > context, and the question is not ask about mac-address, should we configure > 'mac-address auto' command always..? > > > > Yes. > > > > 6) when we configure CA server, is it required to set the clock, or its > just as best practise..because it is still working with the current clock > time.? > > > > Yes, it’s one of the requirements. > > > > 7) what is crl life time when configuring CA server..? > > > > Not sure what you’re asking but the default is lifetime for a crl is 1 > week. > > > > Thanks in advance... > > > > > > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
