nerdexam
Cisco

352-001 · Question #201

Which restriction prevents a designer from using a GDOI-based VPN to secure traffic that traverses the Internet?

The correct answer is C. Network address translation functions interfere with tunnel header preservation.. GDOI-based GET VPN preserves the original IP header during encryption, which is fundamentally incompatible with NAT because NAT must rewrite the very IP addresses that are cryptographically protected by IPsec.

Designing Security

Question

Which restriction prevents a designer from using a GDOI-based VPN to secure traffic that traverses the Internet?

Options

  • AEnterprise host IP addresses are typically not routable.
  • BGDOI is less secure than traditional IPsec.
  • CNetwork address translation functions interfere with tunnel header preservation.
  • DThe use of public addresses is not supported with GDOI.

How the community answered

(51 responses)
  • A
    6% (3)
  • B
    12% (6)
  • C
    80% (41)
  • D
    2% (1)

Why each option

GDOI-based GET VPN preserves the original IP header during encryption, which is fundamentally incompatible with NAT because NAT must rewrite the very IP addresses that are cryptographically protected by IPsec.

AEnterprise host IP addresses are typically not routable.

Non-routable enterprise IP addresses are a general Internet routing issue that affects all VPN types equally and is not a restriction specific to GDOI or GET VPN.

BGDOI is less secure than traditional IPsec.

GDOI and GET VPN are not less secure than traditional IPsec; they provide equivalent encryption with the added benefit of scalable group key management via a key server.

CNetwork address translation functions interfere with tunnel header preservation.Correct

GET VPN uses tunnel-header preservation, meaning the original source and destination IP addresses remain in the outer IP header after encryption rather than being replaced by tunnel endpoint addresses. NAT devices in the Internet path attempt to rewrite those outer IP addresses, but because those addresses fall within the IPsec-protected scope, the modification breaks IPsec integrity verification and causes packet drops. This incompatibility restricts GET VPN to private MPLS or non-NAT environments where the original IP addressing is preserved end to end.

DThe use of public addresses is not supported with GDOI.

GDOI does not prohibit the use of public IP addresses; the actual restriction is NAT incompatibility caused by tunnel header preservation, not any limitation on address type.

Concept tested: GET VPN GDOI NAT incompatibility with header preservation

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-16/sec-conn-getvpn-xe-16-book/sec-conn-getvpn.html

Topics

#GDOI#NAT traversal#tunnel header#Internet VPN

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice