cisco network plus certification

cisco network plus certification.The asterisk in Figure 7-3 illustrates that the packet is encrypted. Step 6. the ASA.2 verifies the identity of ASA.1 sends its own identity information to ASA-1O This packet is also encrypted. The communication port of the IKE is port UDP500. The UDP destination port number for the packets mentioned in the above steps is 500.7.4.2 IKEv1 Phase 2 IKE Phase 2 is used to negotiate the IPSec SA. this phase is also called quick mode oISAKMP SA protects the IPSecSA, 'because all net loads are encrypted except for the ISAKMP header. An IPSecSA negotiation always creates two Security Associations (SAs) ------------------- in and one out. The originator and the responder each assign a unique Security Parameter Index (SPI) value to each SA. Unlike TCP packet segments and UDP datagrams, security protocol (AH and ESP) packets are Layer 3 protocol packets and do not contain Layer 4 port information. If an IPSec peer is deployed behind a PAT device, the ESP or AH packets are typically discarded. To combat this problem, PAT devices from many vendors, including Cisco, support a feature called IPSecpass-through. A PAT device with IPSecpass-through builds an IP address translation table based on the SPI value of the packet. Several vendors in the industry, including Cisco, also implement another feature called NAT Traversal [NAT-T]. Once NAT-T is enabled, both VPN peers can automatically detect the presence of address translation devices between them. If a NAT/PAT device is detected, the VPN peer will encapsulate the security protocol packets as UDP packets with a destination port number of 4500, so that the NAT device can smoothly convert and forward the "UDP-encapsulated" packets.322 Chapter 7 Introduction to Virtual Private Networks (VPNs)The NAT device can then smoothly convert and forward "UDP-sealed" security protocol packets.Don't forget that each IPSec SA is unidirectional, and if three local subnets need to communicate with a remote network through a VPN tunnel, six IPSec SAOs are negotiated using a single pre-established ISAKMP (IKEvl phase 1) SA, IPSec can use fast mode to negotiate multiple phase 2 SAOs However, the number of IPSec SAs can be reduced if the source and/or destination networks are aggregated.The various IPSec attributes negotiated in fast mode are not shown in Table 7-2. Table 7-2 IPSec AttributesAttribute Possible valuesEncryption Algorithm None, DES, 3DES, AES128, AES192, AES256Hash Algorithm MD5, SHA, NoneIdentity information Network, protocol type, port number