Refer to the exhibit. After applying IPsec, the engineer observed that the DMVPN tunnel went down, and both spoke-to-spoke and hub were not establishing. Which two actions resolve the issue? (Choose two.)
A.
Change the mode from mode tunnel to mode transport on R3.
B.
Remove the crypto isakmp key cisco address 10.1.1.1 on R2 and R3.
C.
Configure the crypto isakmp key cisco address 192.1.1.1 on R2 and R3.
D.
Configure the crypto isakmp key cisco address 0.0.0.0 on R2 and R3.
E.
Change the mode from mode transport to mode tunnel on R2.
I LITERALLY just labbed this. Please forgive the long explanation but I want to share for future testers. I was torn between changing the tunnel mode or removing one address and adding the other. B and D are definitely correct. You can't just put in the command with 0.0.0.0. If you do, you will end up with two crypto key commands and both addresses so the one to the tunnel address MUST be removed. Again, NO DOUBT...B AND D!!!!!
Having many crypto keys is not an issue. you can leave the 10.1.1.1. If you add on top of it either 0.0.0.0 or 192.1.1.1 the tunnel protocol will go up.
Mode is important: since we are using GRE, we are already using tunnels, so we can use transport mode. If you use tunnel mode, you will have even more overhead that you don't need.
A: IPSEC profile support both modes (tunnel or transport) but there is a catch, both end of the tunnel must have the same IPSEC-PROFILE to be able to authenticate, in simple terms the modes are part of the IPSEC profile so they must match on both routers IPSEC profile.
D: we should replace the specified address (10.1.1.1) on the spokes and replaced it with (0.0.0.0) which it means in simple terms "negotiate this IPSEC profile with anybody have it".
B: is useless because already included in answer D.
In the lab scenario I posted below mismatched tunnels meant the spokes couldn't reach eachother, but the could reach the hub. The crypto keys are processed until a match is found
R3(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
R3(cfg-crypto-trans)#crypto ipsec transform-set TSET esp-des
R3(cfg-crypto-trans)# mode tunnel
R3(cfg-crypto-trans)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 5/5/6 ms
R3(cfg-crypto-trans)#
the tunnel mode needs to be the same, and it is okay to have more than 1x key
In ENARSI Official Cert Guild, CISCO tells: "... mode tunnel in IPsec is not necessary. Add more 20bytes to header and not take any benefity... USE TRANSPORTE MODE" pag 827 for second edition.
R2 modify address:
crypto isakmp key cisco address 0.0.0.0
R2(config)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Ping times out: why? We still have the IPSEC SA mapped to 10.1.1.1
R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/10 ms
R2#
R2#
Hence you do not need to remove the
R2: sh run
crypto isakmp key cisco address 10.1.1.1
crypto isakmp key cisco address 0.0.0.0
!
R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/9/18 ms
R2#
Change R2 to tunnel again
R3(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/8/10 ms
R3(config-if)#
DMVPN uses GRE, NHRP can be only be incapsuleted in a GRE packet. If you change the mode of the tunnel in ipsec then you are going to have a VTI instead of a GRE tunnel interface, the result is that you cannot longer use DMVPN.
So first we need to take off the tunnel mode ipsec and use transport mode.
Because we have more than one peer and we need to add the command to have all the peer using the same preshared key otherwise you will not be able to build up the phase 1 tunnel
Answer is A and D. it will run throuhg the key addresses in order.
"You can have multiple isakmp policies on your router. The router will run through them in order until it finds a match. So you just need to add a new isakmp policy with a different sequence number eg."
https://community.cisco.com/t5/other-security-subjects/can-you-have-multiple-crypto-isakmp-policies-on-a-router/td-p/840716
I tested this scenario in my DMVPN lab just now. For this lab I configured ipsec transform-set with "mode tunnel" on hub and also in spokes. DMVPN was up, EIGRP was working etc. But than I changed the transform-set in spoke2 to "mode transport" and shut/no shut the tunnel interface. Spoke2 is not able to ping hub or the other spoke after that. So I'm 100% sure that one of the answers is "A" and looks like having multiple keys is not an issue so I'd go with "D" as well.
But before taking my comment as absolutely correct, lab it yourself.
Corerct Band D: You can't just put in the command with 0.0.0.0. If you do, you will end up with two crypto key commands and both addresses so the one to the tunnel address MUST be removed.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Guitarman
Highly Voted 4 years, 4 months agojabal93
5 months agospiderconnard
3 years, 5 months agovdsdrs
3 years, 5 months agolouisvuitton12
Highly Voted 1 year, 2 months agoCiscoTerminator
Most Recent 4 weeks, 1 day agoIvAlAx
1 week, 6 days agojabal93
5 months agojabal93
5 months agobk989
5 months, 1 week agobk989
5 months, 1 week agobk989
5 months, 1 week agobk989
5 months, 1 week agotubirubs
5 months, 1 week agobk989
4 months, 2 weeks ago[Removed]
6 months ago[Removed]
5 months ago[Removed]
5 months agoFenix7
6 months agobk989
7 months agoRupirapa
3 weeks agobk989
7 months agobk989
7 months agobk989
7 months agobk989
7 months agobk989
7 months agoXBfoundX
7 months, 1 week agoXBfoundX
7 months, 1 week agobk989
9 months, 3 weeks agoT_Cos
1 year agoLl123123
1 year, 2 months agomouin
1 year, 4 months agoBrand
1 year, 4 months agointeldarvid
1 year, 5 months agointeldarvid
1 year, 6 months ago