Refer to the exhibit.
R3
ip vrf mgmt
!
crypto keyring CCIE vrf mgmt
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 33
encr 3des
authentication pre-share
group 2
lifetime 600
!
crypto ipsec transform-set site_ab esp-aes-256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile site_a
set security-association lifetime seconds 600
set transform-set site_ab
!
crypto gdoi group group_a
identity number 100
server local
rekey algorithm aes 256
rekey lifetime seconds 300
rekey retransmit 10 number 3
rekey authentication mypubkey rsa cciekey
rekey transport unicast
sa ipsec 1
profile site_a
match address ipv4 site_a
replay counter window-size 64
no tag
address ipv4 10.1.20.3
!
interface GigabitEthernet3
ip address 10.1.20.3 255.255.255.0
!
ip access-list extended site_a
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
R3 is the key server in a GETVPN VRF-Aware implementation. the group members for the site a register with key server via interface address 10.1.20. 3/24 in the management VRF "mgmt". The GROUP ID for the site a is 100 to retrieve group policy and keys from the key server.
The traffic to be encrypted by the site a group members is between 192.186.4.0/24 and 192.186.5.0/24. The preshared key used by the group members to authenticate with the key server is "cisco”. It has bee reported that group members cannot perform encryption for the traffic defined in the group policy of site a.
Which two possible issues are true? (Choose two)
A . The registration interface is not part of management VRF "mgmt”
B . incorrect encryption traffic defined in the group policy
C . incorrect encryption in ISAKMP policy
D . incorrect password in the keyring configuration
E . The GDOI group has an incorrect local server address
F . incorrect security-association time in the IPsec profile
Answer: AB
Leave a Reply