Overlay Tunnels - IPSec Fundamentals

15 important questions on Overlay Tunnels - IPSec Fundamentals

Which two modes of transport are supported by traditional IPSec?

1. Tunnel Mode (Encrypts entire packet and adds new IP headers)
2. Transport Mode (Only encrypts packet payload, packet routed by original IP Headers)

What are the 4 Headers/Trailers used by IPSec?

1. IPSec IP Header (Tunnel mode only)
2. ESP Header
3. ESP Trailer
4. ESP Auth Trailer

Which data encryption algorithms and hash algorithms should be avoided?

Encryption Algorithms
1. DES
2. 3DES 

Hash Algorithm
1. MD5
  • Higher grades + faster learning
  • Never study anything twice
  • 100% sure, 100% understanding
Discover Study Smart

Which Diffie-Helman groups should be avoided?

1, 2 and 5. Use DH Group 14 or higher.

What is the Internet Key Exchange (IKE) protocol used for?

IKE is a protocol used to perform authentication between two endpoints and establish a Security Association (SA).
These SAs or Tunnels are used to carry Control Plane and Data Plane traffic for IPSec.

Which versions of IKE are there and what are important differences?

There are 2 versions, IKEv1 and IKEv2.
IKEv2 has the following improvements:
1. EAP (Certificate based authentication)
2. Anti-DOS capabilities
3. Fewer messages to establish SA

What is the Internet Security Assocation Key Management Protocol (ISAKMP)?

A framework for authentication and key exchange to establish, modify and tear down SAs.
It uses port 500 for communication between peers.
IKE is the ISAKMP implementation using the Oakley and Skeme key exchange.

Which two phases does IKEv1 go through to setup a VPN Tunnel?

Phase 1: Establish bidirectional SA between two peers (ISAKMP SA)

Phase 2: Establish unidirectional IPSec SAs

Which 2 modes can IKEv1 use in Phase 1 negotiation?

1. Main Mode (Safer, more (6) messages)

2. Aggressive Mode (Faster, less safe, less (3) messages)


How is the method used to establish the IPSec SA called and how many messages does it need.

It is called Quick Mode and it needs 3 messages.

Instead of the 9 messages in main mode or 6 in aggressive mode with IKEv1, IKEv2 only uses 4 messages. What are the stages it goes through?

Stage 1: First exchange IKA_SA_INIT (Negotiate algorithms, exchange nonces and perform DH)

Stage 2: Second exchange IKE_AUTH (authenticate previous messages, exchange identities and certificates. Then establish IKE_SA and Child SA (IPSec SA))

What are 5 IPSec VPN protocols available on Cisco devices?

1. Site-to-Site IPSec VPN
2. Cisco DMVPM (Cisco only)
3. Cisco GET-VPN (Cisco only)
4. FlexVPN (Cisco only)
5. Remote Access VPN (Cisco only)

What is Cisco Dynamic Multipoint VPN (DMVPN)?

Simplifies hub-and-spoke and spoke-to-spoke configuration by combining multipoint GRE (mGRE) tunnels, IPSec and Next Hop Resolution Protocol.

What is Cisco Group Encrypted Transport VPN (GET VPN)?

Builds any-to-any tunnel-less VPNs (Where original ip header is used) across service provider MPLS networks or private WANs. It does this without affecting multicast or QoS configuration on the networks.

What is Cisco FlexVPN?

Cisco's implementation of IKEv2, supporting site-to-site, remote access, hub-and-spoke and partial meshes.
Uses virtual access interfaces.

The question on the page originate from the summary of the following study material:

  • A unique study and practice tool
  • Never study anything twice again
  • Get the grades you hope for
  • 100% sure, 100% understanding
Remember faster, study better. Scientifically proven.
Trustpilot Logo