ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 350-701 All Questions

View all questions & answers for the 350-701 exam
Go to Exam

Exam 350-701 topic 1 question 601 discussion

Actual exam question from Cisco's 350-701
Question #: 601
Topic #: 1
[All 350-701 Questions]



Refer to the exhibit. An administrator is configuring a VPN tunnel on a Cisco router. The information provided by the administrator of the remote end of the VPN tunnel was that IKEv1 is the tunnel protocol with a preshared key of C1$c0463835440!. The encryption for both phases is AES and the hash for both phases is SHA-256. The source subnet is 10.10.10.x/24 and the destination subnet is 10.10.20.x/24. The local device cannot establish a VPN tunnel and the debug message shown here is seen in the log file. What must be verified to correct the configuration?

  • A. Ensure that the IKE version is identical on both ends
  • B. Ensure that the ISAKMP policy configuration is identical on both ends
  • C. Ensure that the preshared key is identical on both ends
  • D. Ensure that the ACLs that define interesting traffic are symmetrical on both ends
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by klu16 at Aug. 26, 2024, 7:34 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
nm1122
3 days, 2 hours ago
Selected Answer: D
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#toc-hId-1987608815 The access lists on each peer need to mirror each other (all entries need to be reversible). This example illustrates this point. Peer A access-list 150 permit ip 172.21.113.0 0.0.0.255 172.21.114.0 0.0.0.255 access-list 150 permit ip host 10.2.0.8 host 172.21.114.123 Peer B access-list 150 permit ip 172.21.114.0 0.0.0.255 172.21.113.0 0.0.0.255 access-list 150 permit ip host 172.21.114.123 host 10.2.0.8
upvoted 1 times
...
dfb0b7d
2 months, 2 weeks ago
Selected Answer: D
Proxy Identities Not Supported This message appears in debugs if the access list for IPsec traffic does not match. The access lists on each peer need to mirror each other (all entries need to be reversible). https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
upvoted 2 times
...
kloug
2 months, 2 weeks ago
The answer is a
upvoted 1 times
kloug
2 months, 2 weeks ago
Answer b
upvoted 1 times
...
...
97c291d
2 months, 4 weeks ago
Selected Answer: D
Proxy Identities Not Supported This message appears in debugs if the access list for IPsec traffic does not match. 1d00h: IPSec(validate_transform_proposal): proxy identities not supported 1d00h: ISAKMP: IPSec policy invalidated proposal 1d00h: ISAKMP (0:2): SA not acceptable! The access lists on each peer need to mirror each other (all entries need to be reversible). This example illustrates this point. Peer A access-list 150 permit ip 172.21.113.0 0.0.0.255 172.21.114.0 0.0.0.255 access-list 150 permit ip host 10.2.0.8 host 172.21.114.123 Peer B access-list 150 permit ip 172.21.114.0 0.0.0.255 172.21.113.0 0.0.0.255 access-list 150 permit ip host 172.21.114.123 host 10.2.0.8 Source: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
upvoted 2 times
...
klu16
4 months, 3 weeks ago
Selected Answer: B
I think I will go with B here...
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago