Question 129 of 530 from exam 400-251: CCIE Security written exam

Question 129 of 530 from exam 400-251: CCIE Security written exam

Prev Question Next Question


Which three statements about IKEv2 are correct? (Choose three.)



Click on the arrows to vote for the correct answer

A. B. C. D. E. F.


IKEv2 (Internet Key Exchange version 2) is a protocol used to establish a secure connection between two devices, often used in VPN (Virtual Private Network) implementations. Here are the explanations for the correct statements about IKEv2:

A. INITIAL_CONTACT is used to synchronize state between peers. When a device establishes a connection with another device using IKEv2, it sends an INITIAL_CONTACT message. This message helps to synchronize the state between the two devices and ensure that they are both aware of each other's status. This is important because it allows the devices to negotiate the parameters for the security association (SA) that they will use to communicate.

C. The initial exchanges of IKEv2 consist of IKE_SA_INIT and IKE_AUTH. When a connection is established using IKEv2, the initial exchange consists of two messages: IKE_SA_INIT and IKE_AUTH. The IKE_SA_INIT message establishes the SA and negotiates the cryptographic parameters that will be used during the exchange. The IKE_AUTH message authenticates the devices and sets up the encryption keys for the exchange.

D. Rekeying IKE and child SAs is facilitated by the IKEv2 CREATE_CHILD_SA exchange. When the initial SA established by IKEv2 expires or needs to be renewed, the devices use the CREATE_CHILD_SA exchange to rekey the SA. This exchange can also be used to create additional child SAs within an existing IKE SA.

B. The IKEv2 standard defines a method for fragmenting large messages. To ensure that IKEv2 can handle large messages, the protocol includes a method for fragmenting them into smaller packets that can be transmitted more easily. This helps to ensure that messages are not lost or delayed due to network congestion.

F. Attribute policy push (via the configuration payload) is only supported in REQUEST/REPLY mode. In IKEv2, the configuration payload is used to exchange attributes between the devices. This payload can be sent in either REQUEST/REPLY mode or in CONFIGURATION mode. However, attribute policy push is only supported in REQUEST/REPLY mode. This allows the devices to negotiate the configuration parameters that they will use during the exchange.

E. NAT-T is not supported. IKEv2 can be used with Network Address Translation-Traversal (NAT-T) to help ensure that the connection can be established even when one or both devices are behind a NAT device. However, this statement is incorrect. IKEv2 does support NAT-T, which allows it to be used in a wide variety of network environments.

Prev Question Next Question