crypto isakmp profile vpn1 vrf vpn1 keyring vpn1 match identity address 172.16.1.1 255.255.255.255 crypto map crypmap 1 ipsec-isakmp set peer 172.16.1.1 set transform-set vpn1 set isakmp-profile vpn1 match address 101 ! interface Ethernet1/2 crypto map crypmap Which statements apply to the above configuration? (Choose two.)
The configuration shown is configuring a site-to-site IPsec VPN tunnel using ISAKMP for key management. Let's go through each statement one by one to understand what is happening.
Firstly, the following command creates an ISAKMP profile named "vpn1" that is associated with a VRF named "vpn1":
crypto isakmp profile vpn1 vrf vpn1
This means that the ISAKMP profile will be bound to the VRF named "vpn1". VRF-Aware IPsec is a feature that allows IPsec tunnels to be created in the context of a specific VRF.
Next, the following command configures a keyring named "vpn1" to be used by the ISAKMP profile "vpn1":
This keyring contains the pre-shared key or digital certificate used to authenticate the VPN tunnel.
Then, the following command specifies that the remote peer for this IPsec tunnel is the IP address 172.16.1.1:
set peer 172.16.1.1
The next command specifies the transform set that will be used for the encryption and authentication of the IPsec tunnel:
set transform-set vpn1
This command specifies that the VPN tunnel will use the "vpn1" transform set, which defines the encryption and authentication algorithms to be used for the VPN tunnel.
The following command specifies that the ISAKMP profile named "vpn1" will be used for this IPsec tunnel:
set isakmp-profile vpn1
This command associates the ISAKMP profile named "vpn1" with this IPsec tunnel.
Finally, the following command applies the IPsec crypto map named "crypmap" to the interface Ethernet1/2:
crypto map crypmap 1 ipsec-isakmp
This command specifies that the crypto map named "crypmap" will be used for this IPsec tunnel.
In summary, the configuration shown creates an IPsec VPN tunnel that is VRF-aware, meaning it is created within a specific VRF context. The VRF-aware feature is made possible by binding the ISAKMP profile to a specific VRF. The configuration also specifies the remote peer, transform set, and crypto map to be used for this IPsec tunnel. The configuration is valid and contains no redundant commands.
Therefore, the correct statements are: