PCNSE · Question #555
PCNSE Question #555: Real Exam Question with Answer & Explanation
The correct answer is B: IPSec Crypto profile. IPSec VPN negotiation has two phases: Phase 1 (IKE) establishes the control channel and Phase 2 (IPSec) establishes the data tunnel. Lifetime settings for each phase live in separate profiles. The 'IPSec Crypto profile' (Network > Network Profiles > IPSec Crypto) governs Phase 2
Question
A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?
Options
- AIKE Gateway profile
- BIPSec Crypto profile
- CIPSec Tunnel settings
- DIKE Crypto profile
Explanation
IPSec VPN negotiation has two phases: Phase 1 (IKE) establishes the control channel and Phase 2 (IPSec) establishes the data tunnel. Lifetime settings for each phase live in separate profiles. The 'IPSec Crypto profile' (Network > Network Profiles > IPSec Crypto) governs Phase 2 parameters, including the encryption algorithm, authentication algorithm, DH group, and - critically - the lifetime (in seconds or kilobytes). The 'IKE Crypto profile' (Network > Network Profiles > IKE Crypto) governs Phase 1 lifetime. The 'IKE Gateway' profile configures Phase 1 peer addressing and authentication, not lifetimes. 'IPSec Tunnel settings' references the crypto profiles but does not directly define lifetime values. Because the administrator identified a Phase 2 lifetime mismatch, the correct location is the IPSec Crypto profile.
Topics
Community Discussion
No community discussion yet for this question.