Exam 350-701 topic 1 question 71 discussion

B is correct. When you use “address” it is referring to the remote peer you share the key with. If you want to add more than 1 ip add, you will have to use group key.

It's weird that they used a network address, but this command authenticates a single VPN peer. Leaving B correct.

C is correct. https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios/218432-configure-a-site-to-site-ipsec-ikev1-tun.html....ikev1 is key....no pun intended....ikev2 diff, see below. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118652-configure-asa-00.html

it is an IKE v1 command so the answer is C

isakmp command refers to IKEv1 and without specifying a mask it will use the default classful mask which in this case would be 255.255.0.0 for 172.16.0.0. So answer C is absolutely the correct answer. nospampls also demonstrates this with output.

C is correct, the command crypto isakmp key ciscXXXXXXXX address 172.16.0.0 0.0.255.255 authenticates IKEv1 peers in the 172.16.0.0/16 range by using the preshared key ciscXXXXXXXX.

Answer C

The command crypto isakmp key you provided is related to IKEv1, not IKEv2. IKEv1 (Internet Key Exchange version 1) is configured using crypto isakmp commands, whereas IKEv2 (Internet Key Exchange version 2) is configured using crypto ikev2 commands. If you want to configure a pre-shared key for IKEv1, the crypto isakmp key command is used as shown in your original question. If you want to configure a pre-shared key for IKEv2, you would use crypto ikev2 keyring and crypto ikev2 profile commands. The distinction is important because the two versions of IKE have different configurations and characteristics. So IMHO - C is the right answer!

C is correct, o IOS assumes a /16 mask if you omit the mask, like when you put at the and 0.0.0.0 and the IOS assumes a /0 mask (any). I test in the lab: ... Router(config)# crypto isakmp key Mudar@123 address 172.16.0.0 Router(config)#do show crypto isakmp key Keyring Hostname/Address Preshared Key default 172.16.0.0 [255.255.0.0] Mudar@123 Router(config)#

Some of you are overthinking this. Go here: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfike.html#wp1017897 Search: crypto isakmp key and read. When you enter the peer using address, the mask is optional if you want to specify the subnet. If you specify no subnet then the address is to a single peer. In this case, 172.16.0.0/32 leaving B the only correct answer.

B Is always correct. Using IKEv1 or IKEv2. C will fail if I use IKEv2...

With the address keyword, you can also use the mask argument to indicate the remote peer ISAKMP identity will be established using the preshared key only. If the mask argument is used, preshared keys are no longer restricted between two users. Note If you specify mask, you must use a subnet address. (The subnet address 0.0.0.0 is not recommended because it encourages group preshared keys, which allow all peers to have the same group key, thereby reducing the security of your user authentication.)

C is correct Apart from reasons already given by other C campaigners ikev2 uses a different format for keys crypto ikev2 keyring IKEv2-KEYRING peer 1.2.3.4 address 1.2.3.4 pre-shared-key cisco123 apart from that whe you actually run the command in a lab it results in 172.16.0.0 [255.255.0.0] It assumes a subnet for anything that ends in .0

B is correct

This question is tricky, it is testing the concept I believe. According to the CLI, it should be "peer". In Option B, it is 172.16.0.0/32 "peer", but in Option C, it is 172.16.0.0 "range". No matter then can be reachable, I will select the one with "peer".

B "If the mask argument is used, preshared keys are no longer restricted between two users" so its restricted to 172.16.0.0 https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfike.html

C is the correct answer!