PCNSE · Question #572
PCNSE Question #572: Real Exam Question with Answer & Explanation
The correct answer is A: Use the Dynamic IP address type.. When a VPN peer will act as the initiator and its IP addresses are completely unknown, the IKE gateway on the local firewall should be configured with the Dynamic IP address type. This setting allows the firewall to accept incoming IKE negotiations from peers whose IP addresses a
Question
A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator. None of the peer addresses are known. What can the administrator configure to establish the VPN connection?
Options
- AUse the Dynamic IP address type.
- BEnable Passive Mode.
- CSet up certificate authentication.
- DConfigure the peer address as an FQDN.
Explanation
When a VPN peer will act as the initiator and its IP addresses are completely unknown, the IKE gateway on the local firewall should be configured with the Dynamic IP address type. This setting allows the firewall to accept incoming IKE negotiations from peers whose IP addresses are not predetermined or fixed. Passive Mode (B) prevents the local firewall from initiating the tunnel but does not resolve the problem of not knowing the peer's address. Certificate authentication (C) handles identity verification but still requires the peer address to be defined. Configuring an FQDN (D) requires the peer to have a DNS-resolvable hostname, which is not guaranteed with unknown addresses.
Topics
Community Discussion
No community discussion yet for this question.