nerdexam
Exams300-730Questions#204
Cisco

300-730 · Question #204

300-730 Question #204: Real Exam Question with Answer & Explanation

The correct answer is D: crypto isakmp profile. In IOS XE IKEv1 site-to-site VPN, a keyring is associated with a peer by referencing it inside the crypto isakmp profile.

Question

An engineer is setting up a site-to-site VPN on a Cisco Router running IOS XE using a pre-shared key Cisco@0S1963896#. The configurations have already been completed:
  • ISAKMP Policy
  • IPSec Transform Set
  • Crypto Map Configuration Where must the engineer configure the keyring?

Options

  • Acrypto isakmp policy
  • Btunnel interface
  • Ccrypto ipsec profile
  • Dcrypto isakmp profile

Explanation

In IOS XE IKEv1 site-to-site VPN, a keyring is associated with a peer by referencing it inside the crypto isakmp profile.

Common mistakes.

  • A. The 'crypto isakmp policy' defines Phase 1 parameters such as encryption algorithm, hash, DH group, and lifetime - it has no mechanism to reference or accept a keyring.
  • B. A tunnel interface is used in FlexVPN and DMVPN configurations for IKEv2-based tunnels, not in traditional IKEv1 crypto map-based VPN deployments.
  • C. The 'crypto ipsec profile' binds a transform set for IPSec Phase 2 and is used with virtual tunnel interfaces - it does not manage IKEv1 peer authentication or keyrings.

Concept tested. IKEv1 keyring assignment within crypto isakmp profile

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-16/sec-conn-ikevpn-xe-16-book/sec-conn-cfg-ikev1.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-730 Practice