VPN Top 100 Interview Questions and Answers

Ques 1. What is VPN?

VPN is abbreviation for virtual private network. A VPN extends a private network across a public network and allows end hosts perform data communication across shared or public networks. VPN can be categorized into 2 Types–

1) Remote Access VPN and
2) Site to Site VPN.

Remote Access VPN connects individual user (end hosts) to private networks. In a remote access VPN situation, every user needs their own VPN client.

Site-to-Site VPN solutions enable businesses to connect and transport data using encryption and other security protocols. To securely relay information across the Public Internet, the VPN uses a security method called IPsec to build an encrypted tunnel from the provider’s network to the customer’s site.

Ques 2. What Security Vulnerabilities Are Addressed By VPN?

VPNs protect the privacy of a traffic flow and provide authentication mechanism for a gateway, site, computer, or individual. Typically, communication is sufficiently protected that no one could pretend to be side A or Side B.The threats and vulnerabilities are there, anyways when communication across unsecured Internet happens between 2 parties. Especially for corporates and mobile users away from Corporate LAN ,secured access between endpoints becomes a key business ask which is addressed by VPN which allows clean and secured communication to occur across Internet.

Ques 3. What is Authentication, Confidentiality & Integrity?

Authentication –

Authentication is used to recognize a user’s identity. It is an approach to associate an incoming request with a set of credentials. The credentials provided are compared to those on a file in a database of the authorized user’s information on an authentication server.

Confidentiality –

Confidentiality refers to protecting the information from disclosure to unauthorized parties.
A very key component of protecting information confidentiality would be encryption. Encryption ensures that only the right people (people who knows the key) can read the information. A very prominent example will be SSL/TLS, a security protocol for communications over the internet that has been used in conjunction with a large number of internet protocols to ensure security.

Integrity –

Integrity of information refers to protecting information from being modified by unauthorized parties. Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people. Commonly used methods to protect data integrity includes hashing the data you receive and comparing it with the hash of the original message.

Ques 4. Enlist some of key security considerations while deploying VPN solution?

Some of key consideration while deploying VPN solution are shared below –

 VPN connections should traverse through firewall.
 An IDS / IPS is recommended in order to monitor attacks more effectively.
 Anti-virus software should be installed on remote clients.
 Unsecured or unmanaged systems with simple or no authentication should not be allowed
to make VPN connections to the internal network.
 Logging and auditing functions should be provided especially of unauthorized attempts
 VPN Public Interface (Internet facing) should be in Demilitarized Zone (DMZ)
 It is advisable not to use split tunnelling to access the Internet or any other insecure network
simultaneously during a VPN connection. If split tunneling is used, a firewall and IDS should be used to detect and prevent any potential attack coming from insecure networks.

Ques 5. What is Symmetric and Asymmetric Encryption?
Below table details on difference between Symmetric and Asymmetric encryption –

Ques 6. Which UDP ports should be open on a firewall to allow traffic from a L2TP/IPSEC based VPN clients to a PPTP VPN server on the inside

 UDP port 500 for IKE traffic
 UDP port 1701 for L2TP communication between client and server
 UDP port 4500 for NAT-T communication.  

Ques 7. What is IPsec VPN?

IP Security (IPsec) Protocol is a standards for providing privacy, integrity, and authenticity to traffic transferred across IP networks. IPsec provides IP network-layer encryption and it is often used to allow secure, remote access to an entire network (rather than just a single device).

IPsec has two modes, tunnel mode and transport mode –

 Tunnel mode is the default mode. In tunnel mode, the entire original IP packet is protected
(either of encryption and authenticated or both) and encapsulated by the IPsec headers and trailers. Then a new IP header is prepended to the packet. IPsec “tunnel” protects the IP traffic between hosts by encrypting this traffic between the IPsec peer routers.
 Transport mode is the mode where only the payload of the original IP packet is protected (encrypted, authenticated, or both). The payload is encapsulated by the IPsec headers and trailers. The original IP headers remain intact, except that the IP protocol field is changed to be ESP (50). Transport mode is used only when the IP traffic to be protected is between the IPsec peers themselves, the source and destination IP addresses on the packet are the same as the IPsec peer addresses.

Ques 8. Is VPN a Long-term Solution or a Short-term arrangement?

VPNs are obviously long-term solution. The key challenge that VPN address is privacy over a public network and this doesn’t seem to be going anywhere. Hence, VPNs will exist to be used across desktops, laptops and servers.

Ques 9. At what layer IPsec works?

IPsec functions at the network layer (Layer 3) of the OSI model.
Ques 10. What is name of cisco VPN Client installed on end devices?

AnyConnect Client

Ques 11. Does Cisco 4000 Series Router IOS support SSL VPN?

No, till date Cisco ISR 4000 Series Routers don’t support SSL VPN.

Ques 12. Name a major drawback of IPSec?

It relies for security on public keys. If we have poor key management or the integrity keys is compromised then we lose the security factor.

Ques 13. What is difference between GETVPN and FlexVPN?

Below table enumerates difference between GETVPN and FlexVPN –

Ques 14. What is the difference between Transport and Tunnel mode?

Below Diagram shows format of Transport and tunnel mode –

Further, their difference is enumerated in below table –

Ques 15. What are the three main security services that IPSec VPN provides?

3 main security services that IPSec VPN provides are –

 Peer Authentication
 Data Confidentiality
 Data Integrity
Ques 16. Define Digital Signatures?

A Digital Signature an electronic signature used to validate the authenticity and integrity of shared documents. Digital Signatures works on concept of Signed paper and converts this into an electronic coded message also referred as “Fingerprint”. This “fingerprint,” is unique to both the document and the signer and binds them together. Infact this signature cannot be copied to another document. It is used to validate the authenticity and integrity of a digital document.

Digital signatures are based on Public Key infrastructure. In this methodology 2 keys are generated (1) Public Key and (2) Private Key. The private key is kept securely by the signer while public key to decrypt the message must be with the receiver must have the public key to decrypt the message.

In the diagram, the Signer needs to send encrypted message to Receiver. But 1st, Sender must have a private key to sign the message digitally. An algorithm encrypts the message into a format known as a hash value which in next step is encrypted by sender’s private key. Once both the steps are complete, message is said to be digitally signed.

On the Receivers side, the digitally signed message is decrypted with the help of the signer’s public key. The public key decrypts the message and converts it into another hash value. Then the program which is used to open the message compares this hash value to the original hash value which was generated on Sender’s side. If the hash values match, then the program will allow the message to open.

Ques 17. What Are Reasonable Expectations for A VPN?

End to end privacy is the reasonable expectation. The cryptography stands rational to the expectations. Hence, we may rightly say that VPN encrypts the data and the same is very well hidden from sniffers on the unsecured Internet.

Ques 18. What is Authorization?

Authorization is a security control approach used to determine access levels of users wrt system resources. The resources may be applications, programs, files, services and data. During authorization, a system verifies an authenticated user’s access rules and either grants or refuses resource access.

In simple words, we may also say that an authorization policy dictates what your identity is allowed to do. As an example, all the customers of a bank can create their respective user Ids to log into that bank’s netbanking but the bank’s authorization policy ensures that only users are authorized to access their individual account information and not other users account information.

Ques 19. What is the future of Global VPN market?

With growth in technology and exponential growth in user-application communication, new threats have also been introduced into network environment. This is where VPN plays pivotal role in

supporting cyber security. Today, every organization is taking hard steps to secure their virtual infrastructure and environment and for that they are adopting various tools and methods.VPN is their preferred option to provision a secured infrastructure.

Ques 20. What is Site to Site and Remote Access VPN?

Ques 21. What are the 3 protocols used in IPSec?

3 main protocols used in IPsec are –

 IPsec Authentication Header (AH)
 Encapsulating Security Payload (ESP)
 Internet Key Exchange (IKE)
Ques 22. Explain IPsec Protocol Headers?

Authentication Header (AH) and Encapsulating Security Payload (ESP) are the two key protocols used in IPsec. These protocol headers help authenticate (AH) and encrypt + authenticate (ESP) the data flowing over that connection.

AH protocol provides authentication only. AH provides data integrity, data origin authentication, and an optional replay protection service. Data integrity is ensured by using a message digest that is generated by an algorithm such as HMAC-MD5 or HMAC-SHA. Data origin authentication is ensured by using a shared secret key to create the message digest. Replay protection is provided by using a sequence number field with the AH header.

ESP protocol provides data confidentiality (encryption) and authentication (data integrity, data origin authentication, and replay protection). ESP can be used with confidentiality only, authentication only, or both confidentiality and authentication. When ESP provides authentication functions, it uses the same algorithms as AH, but the coverage is different.

Ques 23. How ESP & AH provides anti-replay protection?

Both ESP and AH protocols provide an anti-reply protection based on sequence numbers. The sender increments the sequence number after each transmission, and the receiver checks the sequence number and reject the packet if it is out of sequence.

Ques 24. What is IKE?

The Internet Key Exchange (IKE) protocol, described in RFC 2409, is a key management protocol standard which is used in combination with the IPsec standard. It is a method for exchanging keys for encryption and authentication over an unsecured medium, such as the Internet. Before IPsec sends authenticated or encrypted IP data, both the sender and receiver must agree on the protocols, encryption algorithms and keys to use for message integrity, authentication and encryption. IKE is used to negotiate these and provides primary authentication.

Ques 25. What are key requirements to configure VPN?

VPN client – Client VPN software to make a secure remote connection.
VPN server – VPN appliance to handle and manage incoming VPN traffic and to establish/manage VPN sessions.

Ques 26. For which protocol does IKE works?

IKE works for IPsec by providing security for VPN negotiations and network access to random hosts.

Ques 27. Explain how IKE/ISAKMP Works?

IKE works in 2 phases explained as below –

POWER Phase 1 –

The primary purpose of IKE phase 1 is to authenticate the IPsec peers and to set up a secure channel between the peers for IKE exchanges to take place. IKE phase 1 functions include –

 Authentication and protection IPsec peers identities
 Negotiation of matching IKE SA policy between peers
 Performs an authenticated Diffie-Hellman exchange to get matching shared secret key
 Sets up a secure tunnel to negotiate IKE phase 2 parameters.
IKE phase 1 occurs in two modes: main mode and aggressive mode

POWER Phase 2 –

During IKE phase 2 negotiation of IPsec SAs occurs to set up the IPSec tunnel. IKE phase 2 performs the following functions –

 Negotiates IPSec SA parameters
 Establishes IPsec SAs
 Periodically renegotiates IPSec SAs
 Performs Diffie-Hellman exchange (Optional)
IKE phase 2 has only one mode – Quick mode. Quick mode occurs after IKE has established the secure tunnel in phase 1. It negotiates a shared IPSec policy, derives shared secret keying material used for the IPSec security algorithms, and establishes IPSec SAs. Quick mode exchanges shared secret key material and prevent replay attacks from generating bogus SAs.

Ques 28. Explain the messages exchange between the peers in IKE/ISAKMP?
Below graph shows step by step IKE communication in phase 1 and phase 2. While steps 1 to 5 are from phase 1, steps 6 to 9 take place during phase 2.

Ques 29. What is Diffie-Hellman?

The DH (Abbreviation for Diffie–Hellman) is a secure method of key exchange used for exchanging public information to obtain a shared secret. DH is not an encryption algorithm. This method allows 2 parties which have no prior knowledge of each other to establish a shared, secret key, even over an insecure channel.

DH key exchange has the following important attributes –

 The computed shared secret cannot be calculated by either of individual parties without
each other’s cooperation.
 Even any 3rd party eavesdropping and observing all the messages exchange DH key exchange
cannot decipher the resulting shared secret.

Ques 30. How Diffie-Hellman works?
This example will help show how Diffie-Hellman works end to end –
Each party i.e. both Nick and John create a pair of one private key and one public key. When establishing secure connection, Nick sends John his public key and John sends Nick his public key. By combining theirs private key and other party’s public key they both get to the same shared secret. This shared secret key is then used to encrypt/decrypt messages Nick and John send to each other.

Ques 31. What are Security Associations?

A Security Association (SA) is an agreement between two entities (IPsec peers) that describes how the entities will use security services to communicate securely. SA (security association) is a one way logical connection so we need two SA’s, one for inbound traffic and one for outbound traffic on each gateway. With support IPsec protocols, SAs offer data protection for unidirectional traffic.

Ques 32. What is Transform set?

Transform set is a set of protocols and algorithms an end user may choose to use for their VPN\IPsec security parameters. The 3 factors that make up a proposal or transform set are –

 Data encryption
 Data authentication
 Encapsulation mode.
During the ISAKMP IPsec security association negotiation that occurs in IKE phase 2 quick mode, the peers agree to use a particular transform set for protecting a particular data flow.

Ques 33. What are Crypto access lists?

A crypto ACL is not a classification in terms of standard or extended ACL. A crypto ACL uses an extended ACL in which we specify the source and destination address to be encrypted. Below is an example where I can create an ACL by name crypto –
ip access-list extended crypto

Permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

Ques 34. Site one example where VPN will hinder the Firewall from allowing to fully implement security policy?

If a VPN is in use from a system behind a firewall to a system outside the firewall, the firewall cannot enforce an organization’s security policy beyond connection rules.

Ques 35. In a SSL VPN architecture, where are the session keys stored.

The keys are derived dynamically.

Ques 36. What are Crypto map?

A crypto map is a configuration entity in VPN that performs two key functions –

 Filtering and classifying traffic to be protected (Interesting traffic).
 Defines the policy to that traffic
A crypto map is applied to an interface. The concept of a crypto map was introduced in classic crypto but was expanded for IPSec.

Ques 37. What is SSL/TLS?

SSL / TLS is a transport-layer protocol that use TCP port 443. SSL protocol is defined by the IETF. SSL/TLS are used to provide confidentiality, integrity, and digital signatures. Unlike IPsec parties negotiate to cryptographic functions, SSL / TLS uses cipher suites to define the set of cryptographic functions for a client and server to use for a secured communication.

Ques 38. What is Split Tunneling? Why is it required?
Standard behaviour of VPN is to route all your internet traffic through an encrypted tunnel towards Data Centre to protect your data from attack (Without Split-Tunnelling).
However, with Split tunnelling enabled, VPN users are able to connect to corporate applications at Data Centre through the VPN connection while activities like Internet browsing, FTP etc. are accessed directly via local Internet rather than taking VPN path to Data Centre through VPN tunnel. Below are the benefits that can be reaped from split tunneling –

 One advantage of using split tunnelling is that it alleviates bottlenecks and conserves bandwidth as Internet traffic does not have to pass through the VPN server.
 Cost is saved
 Latency will not suffer for end users while web surfing

 Users get best performance of whatever ISP they are connected to

Ques 39. How do you verify the status of the tunnel’s phase 1 & 2?

Phase 1 – show crypto isakmp sa Phase 2 – show crypto ipsec sa

Ques 40. What is IPsec Virtual Tunnel Interface?

IP security (IPsec) virtual tunnel interfaces (VTIs) provides a routable interface type for terminating IPsec tunnels and an easy way to define protection between sites to form an overlay network. IPsec VTIs simplify configuration of IPsec for protection of remote links, support multicast, and simplify network management and load balancing.

Ques 41. What is L2F?

L2F is abbreviation for Layer 2 Forwarding. It creates Network Access Server (NAS)-initiated tunnels by forwarding Point-to-Point (PPP) sessions from one endpoint to another across a shared network infrastructure. Cisco Systems developed the L2F protocol.

Ques 42. What are different types of VPN protocols?

Below are different types of VPN protocols –

 PPTP
 L2TP
 IPsec
 DMVPN
 SSL and TLS
 SSH
 OpenVPN
Ques 43. What are the main components of VPN?

The 3 main components of VPNs are tunnels, endpoints, and sessions.

 Tunnels – These are virtual channels through a shared medium. They provide a secure
communications path between two peers. Every VPN tunnel can consist of multiple sessions.
 Endpoints – Is a network device on which a tunnel ends. Endpoints may be a computer
running a VPN client, a router or a gateway. The two ends of a tunnel are commonly called the source and the destination endpoints.

 A source endpoint initiates the tunnel.

 A destination endpoint terminates the tunnel.
 Sessions – Portions of tunnels that pertain to the transmission of a specific user in a single,
tunnelled PPP call between two peers. A remote access tunnel can contain one or more PPP connections. Each connection represents one user. However, Performance Monitor refers to any user connection to a device as a session.

Ques 44. What is CBC?

Cipher Block Chaining (CBC) is a cryptographic mode that provides data encryption and authentication using AH and ESP.

Ques 45. What is the difference between Static Crypto Maps and Dynamic Crypto Maps?

Static crypto map identifies peer and traffic to be encrypted explicitly. It is typically used to accommodate a few tunnels with different profiles and characteristics (like different partners, sites and location).When we have IP information of both the peers and respective side policies, we normally use Static.
Dynamic crypto map is one of the ways to accommodate peers sharing same characteristics (for eg multiple branches offices sharing same configuration) or peers having dynamic IP addressing (DHCP, etc.)

Ques 46. What is Cisco Easy VPN?

Cisco Easy VPN is an IPsec VPN solution supported by Cisco routers and security appliances. It is a simple VPN deployment for remote offices and mobile workers. Cisco Easy VPN is based on the Cisco Unity Client Framework, which centralizes VPN management across all Cisco VPN devices, thus reducing the management complexity of VPN deployments.

Policies are defined mostly on the hub and pushed to remote spoke VPN devices, ensuring that clients have up-to-date policies in place before establishing a secure connection.
There are three components of the Cisco Easy VPN solution:

 Easy VPN Client
 Easy VPN Remote
 Easy VPN Server
Ques 47. What are the 3 key methods to Control the access of VPN users and allowing access to selective resources?

3 key methods to Control the access of VPN users are –

 Access control lists (ACLs) and downloadable ACLs
 Split tunneling
 Access hours/time range
Ques 48. What are the two IKE methods used by the IPsec protocol for secure tunnel negotiation?

IKEv1 and IKEv2

Ques 49. What is the meaning of DAP wrt VPN?

DAP stands for Dynamic access policies.

Ques 50. Gove examples of symmetric keys and their size?

Examples of symmetric algorithms and their key sizes include the following:

 DES uses a key size of 56 bits.
 3DES uses a key size of 168 bits.
 AES offers 128, 192, 256 key sizes.
Ques 51. What is DMVPN?
DMVPN stands for Dynamic Multipoint VPN. It is a Point to Multipoint working on GRE technology. DMVPN can have following topologies –

(1) HubandSpoke

(2) SpoketoSpoke.
The 2 key technologies DMVPN relies to function are –

 NHRP

 MGRE
NHRP is similar to ARP in LAN technologies. It is a layer 2 resolution protocol and cache. The Hub maintains a special NHRP database with the public IP Addresses of all configured spokes. Each spoke registers its public IP address with the hub and queries the NHRP database for the public IP address of the destination spoke it needs to build a VPN tunnel.

mGRE Tunnel Interface is used to allow a single GRE interface to support multiple IPSec tunnels and helps dramatically to simplify the complexity and size of the configuration. With an mGRE tunnel, the hub router only needs to have a single tunnel interface, with n number of destinations.

Ques 52. What is GRE in PPTP?

Generic Routing Encapsulation is a protocol for Point-to-Point Protocol. The encapsulation of a variety of network layer protocol packet types inside IP tunnels is done by GRE. This is done by creating virtual point-to-point link to routers which are pointed over an IP internetwork. It is completely stateless protocol based. Soon after it is configured, the GRE tunnel interface comes up and stays up until a valid tunnel resource address or interface is up.

Ques 53. Why PPTP is not preferred choice in many VPN deployments?

The 2 key reasons why PPTP is not preferred choice in many deployments are –

 PPTP does not offer data integrity or data origin verification.
 PPTP does not provide best of performance in unstable connections.

Ques 54. Can you explain CHAP?

CHAP is abbreviation for Challenge Handshake Authentication Protocol and is defined in RFC 1994. CHAP verifies the identity of the peer by means of a three-way handshake. Below are the steps performed in CHAP communication –

 CHAP is negotiated between both devices, the authenticator sends a challenge message to the peer.
 The peer responds with a value calculated through a one-way hash function (Message Digest 5 (MD5)).
 The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is successful. Otherwise, the connection is terminated.

Ques 55. Explain what is PAP?
Password Authentication Protocol (PAP) is a user authentication protocol that does not encrypt the data and sends the password and username as plain text. PAP is very vulnerable to being read since information is static.

Ques 56. What does PPTP use for encryption and authentication?

PPTP encryption uses MPPE 128bit cipher with or without compression and MS-CHAPv2 authentication.

Ques 57. What are the three phases of DMVPN?

3 phases of DMVPN are enlisted below –
Phase 1 – All traffic flows through the hub. The hub is used for control plane and data plane of the network path.

Phase 2 – Allows spoke-to-spoke tunnels to be formed. During Spoke-to-spoke communication hub will not be in the actual data plane. Spoke-to-spoke tunnels are on demand based on spoke traffic triggering the tunnel.
Phase 3 – Improves scalability of Phase 2. “NHRP redirect” and “shortcuts” take care of traffic flows.

Ques 58. Explain Next Hop Resolution Protocol (NHRP)?

NHRP is CLIENT/SERVER protocol and similar to ARP protocol in LAN technologies. It is a layer 2 resolution protocol which dynamically maps a non-broadcast multi access network. NHRP has two component-

 NH Client – NHC
 NH Server – NHS
NHS takes the role of HUB and NHC takes the ole of SPOKE. NHRP protocol is responsible for allowing NHCs to dynamically register with NHSs. This allows the NHCs to join the NBMA network without configuration changes on the NHS.NHRP allows one NHC (SPOKE) to dynamically discover the logical VPN IP to physical NBMA IP mapping for another NHC within the same NBMA network.
Ques 59. What is GRE?

Generic Routing Encapsulation (GRE) is defined by RFC 2784. GRE encapsulates data packets and sends them to a device that de-encapsulates them and routes to destination.
Ques 60. Name a major drawback of both GRE & L2TP?

Neither of these protocols encrypt traffic to provide protection for the data being tunnelled. If we want to protect the traffic then you need to run something like IPsec in addition to L2TP or GRE.

Ques 61. Who Are the Major VPN Players In enterprise VPN Market?

Cisco and Juniper are major players in Enterprise VPN market. Other VPN providers are listed below –

 NordVPN  StrongVPN

 IPVanish VPN  PureVPN

when IP packets need to be sent from one network to another, without being parsed or treated like

A GRE tunnel is used

IP packets by any intervening routers.

Ques 62. What is SSL VPN?

SSL in abbreviation for Secure Socket Layer. SSL is one such protocol that is used to provide confidentiality and authenticity over Internet. An SSL VPN is a form of VPN technology that can be used with a standard Web browser.

IPsec VPN technology is used for both end user and site-to-site connectivity while SSL VPN technology is used exclusively for user connectivity and is ideal for creating a VPN tunnel through restricted networks back to the home site.

SSL VPN is used to give remote users access to –

 Web Hosted applications
 Client/server applications and
 Internal network connections.
Ques 63. How is SSL VPN different from IPsec VPN?

Ques 64. What are the different types of VPN?

Remote Access VPN – Also called as Virtual Private dial-up network (VPDN) is mainly used in scenarios where remote access to a network becomes essential. Remote access VPN allows data to be accessed between a company’s private network and remote users through ISP. E.g. senior executives from organization are usually visiting customer locations. Using Remote access VPN, the key business updates can be made.

Site to Site VPN– This type of VPN can be used when multiple Remote endpoints are present and can be made to join to a single network. Machines present on these remote locations work as if they are working on a single network.

Ques 65. At which Layer does SSL VPN operates?

The SSL protocol operates at the bottom of the Application Layer.

Ques 66. By default, how many message pairs are exchanged in a typical IKEv2 connection?

SSL VPN has following modes of operation –

 Clientless -This mode provides secure access to private web resources and web content.
Clientless mode is preferred when most of the content are accessed via web browser like

Internet access, tools etc.
 Thin client -Thin-client mode (port-forwarding Java applet) further extends beyond
Clientless by extending beyond web browser. Thin client enables remote access to TCP-

based applications like POP3, SMTP, IMAP and Telnet.
 Tunnel mode – This mode of Full-tunnel uses Cisco AnyConnect VPN Client for SSL VPN.This
tunneling client supports to provide network layer access to virtually any application.
Ques 68. What are some of key challenges and issues faced while deploying or management of remote access VPN?

Below are the challenges –

 VPN client software must be supported on all user devices like PCs, laptops, tablets and
smartphones.
 VPN protocols must work end-to-end through firewalls, routers and switches.

Ques 67. What are different SSL VPN Modes?

 Only those VPN solutions should be selected which are compatible and interoperable with concentrators, appliances and servers.

Ques 69. What are some of key challenges and issues faced while deploying or management of Site to Site VPN?

Below are the challenges –

 Activity logging becomes a challenging and cumbersome job
 Firewall Blocking Challenges
 Connecting two remote networks requires configuration and management of advanced
forwarding routing rules.
 Subnet Conflicts – Networks connected via traditional VPN must not use the same local
subnet. Workaround is to use NAT in order to deal with the overlapping addressing schemes

– a process intensive and complex work.
 The design and security implementation for a virtual private network requires highly skilled
professional to setup best fit VPN solution.

Ques 70. Which method enables you to prevent user web traffic from traveling through the VPN tunnel?

Split Tunneling

Ques 71. Explain SSL Handshake?

The SSL handshake facilitates the SSL client and server to establish the secret keys with which they communicate. An SSL session always begins with an exchange of messages called the SSL handshake. The handshake allows the server to authenticate itself to the client by using public-key techniques, and then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection during the session that follows.

The SSL client sends a “client hello” message that lists cryptographic information. The message also contains a random byte string that is used in subsequent computations
The SSL server responds with a “server hello” message that contains the Cipher Suite chosen by the server from the list provided by the client, the session ID, and another random byte string. The server also sends its digital certificate. If the server requires a digital certificate for client authentication, the server sends a “client certificate request” that includes a list of the types of certificates supported and the Distinguished Names of acceptable Certification Authorities.
The SSL client verifies the server’s digital certificate.
The SSL client sends the random byte string that enables both the client and the server to
compute the secret key to be used for encrypting subsequent message data.
If the SSL server sent a “client certificate request”, the client sends a random byte string
encrypted with the client’s private key, together with the client’s digital certificate, or a “no digital certificate alert”. This alert is only a warning, but with some implementations the handshake fails if client authentication is mandatory.
The SSL server verifies the client’s certificate.
The SSL client sends the server a “finished” message, which is encrypted with the secret key,
indicating that the client part of the handshake is complete.
The SSL server sends the client a “finished” message, which is encrypted with the secret key,
indicating that the server part of the handshake is complete.
For the duration of the SSL or TLS session, the server and client can now exchange messages
that are symmetrically encrypted with the shared secret key.

Ques 72. What is the concept of HA and FA in VPN tunneling?

The definition of terms HA and FA are –

 HA (home agent) – software at the network access node (router) in the target network.
 FA (foreign agent) – software at the initiator node or at the network access node (router) of
the network to which the initiator node belongs.
Below is the process how node in foreign network communicates with home network with help of HA and FA –

 The initiator sends a connection request to the FA.
 FA authenticate the user
 FA forwards request to the HA of the target network
 HA verify the supply information and sends back information for FA to establish a tunnel
 The initiator starts forwarding data packets to FA

Ques 73. What is a connection profile? What details need to be entered which creating a connection profile?

Connection profile consists of a set of records that determines tunnel connection policies. These records identify the servers to which the tunnel user is authenticated and also accounting servers to which connection information is sent. They also identify a default group policy for the connection, and protocol-specific connection parameters. If we do not assign a particular group policy to a user, the default group policy for the connection applies. In short, we may summarize that connection Profiles are used to assign –

 DHCP servers
 Global Address Pools  AAA
 Generic VPN settings  Additional settings

Ques 74. What is significance of “priority” keyword in following command –

Crypto dynamic-map name priority set ikev2 ipsec-proposal proposals
The value of “priority” keyword can be anything between 0 and 65535, with the lower value 0 being the higher Priority. We can set the priority depending on other policies you may have within the same crypto map.

Ques 75. What are the available VPN Client IP Address Allocation methods is ASA?

Following are the IP address allocation methods in ASA –

 Authentication server
 DHCP
 Internal address pools
 Direct user assignment
Ques 76. An AnyConnect client uses which protocol through a VPN tunnel for automatic Certificate retrieval?

SCEP

Ques 77. Which ACL type is used with split-tunneling configuration?

 Extended  Standard

Ques 78. What are 3 major components of Easy VPN?

3 major components of Easy VPN are –

 Easy VPN remote: The connecting device, which can be a hardware router or a firewall
appliance. Easy VPN can enable these devices to connect to the Easy VPN server and receive

policy information with as little as an IP address and password configured.
 Easy VPN client: The Cisco IPsec VPN client software that can be used by remote and mobile
workers to connect to the Easy VPN server.
 Easy VPN server: The terminating device, in Head Office running on a router or a firewall.

Ques 79. During which phase does peer authentication occur?

Phase 1

Ques 80. What is difference between IKEv1 and IKEv2?

Below is the difference between IKE v1 and v2 –

Ques 81. A user is complaining of being unable to open external or internal URLs directly or from the bookmark list. What could be the problem?

The administrator has not configured a DNS server group.

Ques 82. In a Cisco Remote-Access VPN Client, which files hold connection entry information?

Connection entries are stored in PCF file.

Ques 83. What is the default MTU size set during installation of IPsec VPN Client on windows PC?

1300

Ques 84. What is difference between MPLS and VPN?

Ques 85. What is difference between VPN and proxy?

Ques 86. Does Cisco ASA support VPN is Multi-context mode? If yes, then which Release onwards is the feature supported?

Yes, Cisco ASA supports both Site to Site and Remote Access VPN. Below is the releases supporting this feature –

 Site-to-Site VPN – 9.0(1) onwards
 Remote Access VPN – 9.5(2) onwards
Ques 87. There is requirement to setup a VPN box in Data Center. Which Security Zone should the Internet/Public facing VPN box be connected to be reachable for Internet based users?

The VPN Box outside interface should be connected to DMZ Zone.

Ques 88. What is NAT Traversal? What is the purpose of using NAT-T?

NAT-T is an IKE phase 1 algorithm that is used when trying to establish an IPSEC VPN between two gateway devices where there is a NAT device in front of one of the gateway devices or both the gateway devices.

If a packet is encapsulated by ESP or AH header (due to IPsec), PAT/NAT device will not have port information to translate source port and resulting IPSEC traffic will not pass through the PAT/NAT device. However, if we use NAT-T Feature, IPSEC traffic will be encapsulated using UDP header with source and destination port number as 4500 and provides port information for the NAT device to do Port Address Translation.

Ques 89. Which IP protocol does AH and ESP headers use in IPSEC.

ESP and AH use IP protocol 50 and 51 respectively.

Ques 90. Which type of VPN would you use if data has to be encrypted at the network layer?

IPSEC VPN will be used since IPSEC VPN encrypts data at the network layer whereas SSL encrypts data at the application layer.

Ques 91. What do we mean by VPN hairpinning?

Hairpinning is a term to describe traffic that is routed out of the same interface from which it entered.Haipinning is also referred to U-turn traffic.
Below is one example scenario where traffic from VPN Client is Hairpinned at and redirected to Access Internet (web browsing) by taking a U turn from outside Interface of VPN Gateway.

Ques 92. What output after issuing “show crypto isakmp sa” command shows state as “MM_KEY_EXCH”, is this ideal state of VPN?

This is not the ideal VPN condition and means either the configured pre-shared key is not correct or the peer IP addresses are different.

Ques 93. Which command shows the ISAKMP SA built between peers?

Show crypto isakmp sa

Ques 94. Which command is issued to view the IKE Phase 1 management connections?

Use the “show crypto isakmp sa” command

Ques 95. what are all the probable states of IKE Phase 1 main Mode –

Belo are the 4 probable states –

 MM_NO_STATE  MM_SA_SETUP  MM_KEY_EXCH  MM_KEY_AUTH

Ques 96. Which ports on firewall should be allowed for PPTP

PPTP uses TCP port 1723 and IP port 47 (GRE)
Ques 97. Which ports on firewall should be allowed for IPSEC Site to Site VPN?

UDP port 500 and 4500 should be used

Ques 98. What is the advantage of using VPN technologies over WAN technologies?

Enlisted below are the benefits that can be reaped from VPN compared to other WAN technologies –  Reduced cost (compared to higher provisioning costs of long distance leased lines and

supporting these WAN Links)

 More scalable than other WAN solutions
 Faster provisioning and lesser deployment time
 Increased productivity since it allows roaming users to connect to corporate resources from
anywhere anytime.
 Reduces risk of security breaches by cyberattacks.
 Reachable where leased links and other WAN technologies are not feasible.
Ques 99. What is a VPN concentrator?

A “VPN Concentrator” is a device that handles multiple VPN tunnels remotely. In other words, VPN concentrator is a networking device that creates VPN networks to facilitate communication between different VPN nodes.
Ques 100. What is OpenVPN?

OpenVPN uses Open Source client-server based VPN connection which provides secure communication for VPN users. The server side is directly connected to the internet and client connects with the server and ultimately connects with the internet indirectly. OpenVPN uses OpenSSL for Secure VPN tunnel.