Correct answer is BD!
From the snippet we can see that DPD is turned on (dpd: mode=on-demand on=1…) and that the IPsec SA is using a 2048‐entry replay window (replaywin=2048), which implies anti‐replay is enabled. So, C is incorrect (DPD is enabled, not disabled) and D is correct (anti‐replay is enabled).
For the quick‐mode selectors, FortiGate labels the local subnet as src and the remote subnet as dst from its own perspective. Here, src=0:10.1.2.0/255.255.255.0 and dst=0:10.1.1.0/255.255.255.0 indicates the other side (the remote FortiGate) sees its “destination” as `10.1.2.0/24.” That makes B correct. Conversely, the tunnel ID and arrow notation show that 10.200.4.1 is the remote gateway IP, so A is not correct.
The correct statements are:
A. The remote gateway IP is 10.200.5.1.
You can see this in the "serial-1 10.200.5.1:0->10.200.4.1:0" portion of the output.
D. Anti-replay is enabled.
The output shows "replaywin-2048", which indicates that anti-replay is enabled with a replay window of 2048 packets.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Ic3Box
1 month agoTrX
3 months, 1 week ago