IKEv2 - Three Correct Statements | CCIE Security Exam

IKEv2 - Three Correct Statements

Prev Question Next Question


Which three statements about IKEv2 are correct? (Choose three.)



Click on the arrows to vote for the correct answer

A. B. C. D. E. F.


IKEv2 (Internet Key Exchange version 2) is a protocol used for setting up a secure communication channel between two devices in an IP network, typically for establishing Virtual Private Networks ( VPNs). Here are the explanations of the three correct statements about IKEv2:

A. INITIAL_CONTACT is used to synchronize state between peers: When a device initiates a connection to another device, it sends an IKE_INIT message to begin the IKEv2 process. If the responding device has already established a Security Association (SA) with the initiating device, it responds with an INITIAL_CONTACT notification that includes the message ID of the last message received from the initiating device. This allows the two devices to synchronize their state and resume the IKEv2 process from where it left off. Therefore, statement A is correct.

B. The IKEv2 standard defines a method for fragmenting large messages: IKEv2 packets may sometimes exceed the Maximum Transmission Unit (MTU) size of the network. In such cases, the protocol allows for fragmentation of messages. The IKEv2 fragmentation process ensures that messages are divided into smaller packets that can be reassembled by the receiving device. Therefore, statement B is correct.

C. The initial exchanges of IKEv2 consist of IKE_SA_INIT and IKE_AUTH: The IKEv2 process begins with the IKE_SA_INIT exchange, in which the two devices exchange information about their supported security protocols and algorithms. Once this exchange is complete, the devices move on to the IKE_AUTH exchange, which is used to authenticate the devices and establish the first SA for the session. Therefore, statement C is correct.

D. Rekeying IKE and child SAs is facilitated by the IKEv2 CREATE_CHILD_SA exchange: IKEv2 allows for the establishment of multiple Security Associations (SA), including a parent IKE SA and one or more child SAs. Rekeying these SAs is accomplished using the CREATE_CHILD_SA exchange. This exchange allows the two devices to agree on new cryptographic keys and algorithms to be used for the session. Therefore, statement D is correct.

E. NAT-T is not supported: Network Address Translation Traversal (NAT-T) is a method for allowing devices behind a NAT gateway to communicate over a VPN. IKEv2 supports NAT-T, which allows it to detect when NAT is being used and encapsulate its packets accordingly. Therefore, statement E is incorrect.

F. Attribute policy push (via the configuration payload) is only supported in REQUEST/REPLY mode: Attribute policy push is a feature of IKEv2 that allows one device to push configuration policies to the other device during the IKEv2 exchange. This feature is supported in both the IKE_SA_INIT and CREATE_CHILD_SA exchanges, and can be used in either REQUEST/REPLY mode or NOTIFY mode. Therefore, statement F is incorrect.

In summary, the correct statements about IKEv2 are A, B, and C.