NSE4 Question #252: Real Exam Question with Answer & Explanation

Question

An administrator configures a VPN and selects the Enable IPSec Interface Mode option in the phase 1 settings. Which of the following statements are correct regarding the IPSec VPN configuration?

Options

• ATo complete the VPN configuration, the administrator must manually create a virtual IPSec
• BThe virtual IPSec interface is automatically created after the phase1 configuration.
• CThe IPSec policies must be placed at the top of the list.
• DThis VPN cannot be used as part of a hub and spoke topology.
• ERoutes were automatically created based on the address objects in the firewall policies.

Explanation

When IPSec Interface Mode is enabled in a FortiGate VPN phase 1 configuration, a virtual IPSec interface is automatically created.

Common mistakes.

• A. The virtual IPSec interface is automatically created; manual creation is not required.
• C. IPSec policies do not necessarily need to be at the top of the list; their placement depends on the overall policy structure and desired traffic flow.
• D. IPSec interface mode VPNs are commonly used in hub-and-spoke topologies because they can be easily integrated with routing protocols and standard firewall policies.
• E. Routes for IPSec VPNs are typically configured manually as static routes or learned dynamically through routing protocols, not automatically generated from firewall policy address objects alone.

Concept tested. FortiGate IPSec Interface Mode automatic interface creation

Reference. https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/469904/ipsec-vpn-interface-mode

No community discussion yet for this question.