300-730 · Question #86
An administrator is designing a VPN with a partner's non-Cisco VPN solution. The partner's VPN device will negotiate an IKEv2 tunnel that will only encrypt subnets 192.168.0.0/24 going to 10.0.0.0/24.
The correct answer is B. crypto map. Policy-based VPNs using crypto maps define traffic selectors that restrict encryption to specific subnet pairs, which is required when interoperating with a non-Cisco partner device via IKEv2.
Question
Options
- AVTI
- Bcrypto map
- CGETVPN
- DDMVPN
How the community answered
(26 responses)- A8% (2)
- B73% (19)
- C4% (1)
- D15% (4)
Why each option
Policy-based VPNs using crypto maps define traffic selectors that restrict encryption to specific subnet pairs, which is required when interoperating with a non-Cisco partner device via IKEv2.
VTI is a route-based VPN interface that encrypts all traffic routed through it regardless of subnet, so it cannot restrict encryption to specific subnet pairs as the partner requires.
Crypto maps use access control lists to define proxy IDs (traffic selectors) that specify exactly which source and destination subnets are encrypted, satisfying the partner's requirement to encrypt only 192.168.0.0/24 to 10.0.0.0/24. This policy-based approach is universally supported by third-party IKEv2 implementations that require explicit subnet negotiation. Route-based methods like VTI would encrypt all traffic through the tunnel interface, not just the specified subnets.
GETVPN is a non-tunneled, group-based technology designed for any-to-any encryption over MPLS and does not support point-to-point partner VPN with subnet-specific traffic selector negotiation.
DMVPN is a hub-and-spoke or multipoint VPN framework that does not provide the subnet-specific traffic selector negotiation required by the partner's IKEv2 configuration.
Concept tested: Policy-based VPN with crypto maps and traffic selectors
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-16/sec-ike-for-ipsec-vpns-xe-16-book/sec-cfg-ike-for-ipsec.html
Topics
Community Discussion
No community discussion yet for this question.