7/1/24, 5:02 PM VPN Interview Questions and Answers | Networker Interview

Networker Interview Prepare for CCNA, CCNP, CCIE Interview !

CCNA CCNP CCIE QUICK NOTES CCNA PDF DOWNLOAD TOPIC-WISE

CONTACT US ABOUT US PRIVACY POLICY

VPN Interview Questions and Answers Sear

What is VPN?
Virtual Private Network (VPN) creates a secure network connection over a public network such as the internet. It
allows devices to exchange data through a secure virtual tunnel. It uses a combination of security features like
Bu
encryption, authentication, tunneling protocols, and data integrity to provide secure communication between
participating peers. Ques

What is Authentication, Confidentiality & Integrity?

Authentication - Verifies that the packet received is actually from the claimed sender. It verifies the authenticity
of the sender. Pre-shared Key, Digital Certificate are some methods that can be used for authentication.
Integrity - Ensures that the contents of the packet have not been altered in between by man-in-middle. Hashing
Algorithm includes MD5, SHA.
Confidentiality - Encrypts the message content through encryption so that data is not disclosed to unauthorized
parties. Encryption algorithms include DES (Data Encryption Standard), 3DES (Triple-DES), AES (Advanced
Encryption Standard).

What is Symmetric and Asymmetric Encryption?

In symmetric encryption, a single key is used both to encrypt and decrypt traffic. It is also referred to as a shared
key or shared secret encryption. Symmetric encryption algorithms include DES, 3DES, AES.
In Asymmetric encryption, two keys are used to encrypt and decrypt traffic, one for encryption and one for
Buy
decryption. The most common asymmetric encryption algorithm is RSA.
Inte
What is IPSec VPN? Answ
IP Security Protocol VPN means VPN over IP Security. It allows two or more users to communicate in a secure
manner by authenticating and encrypting each IP packet of a communication session. IPSec provides data
confidentiality, data integrity and data authentication between participating peers.

At which layer IPSec works?

IPSec secures IP traffic at the Layer 3 (Network Layer) of the OSI model.

Name a major drawback of IPSec?

IPSec only supports unicast IP traffic.

What is the difference between Transport and Tunnel mode?

Tunnel mode - Protects data in network-to-network or site-to-site scenarios. It encapsulates and protects the
entire IP packet—the payload including the original IP header and a new IP header (protects the entire IP
payload including user data).
Transport mode - Protects data in host-to-host or end-to-end scenarios. In transport mode, IPsec protects the
payload of the original IP datagram by excluding the IP header (only protects the upper-layer protocols of IP

Privacy - Terms

networkerinterview.net/entries/vpn/vpn-interview-questions-and-answers 1/9
7/1/24, 5:02 PM VPN Interview Questions and Answers | Networker Interview

payload (user data)).

IPSec protocols AH and ESP can operate in either transport mode and tunnel mode.

What are the three main security services that IPSec VPN provides? Foll

IPSec offers the following security services:

1. Peer Authentication.
2. Data confidentiality.
3. Data integrity.

Define Digital Signatures?

A digital signature is an attachment to an electronic message used for security purposes. It is used to verify the
authenticity of the sender.

What is Authorization?
Authorization is a security mechanism used to determine user/client privileges or access levels related to
network resources, including firewalls, routers, switches and application features. Authorization is normally
preceded by authentication and during authorization, It’s the system that verifies an authenticated user’s access
rules and either grant or refuses resource access.

What is Site to Site and Remote Access VPN?

A site-to-site VPN allows offices in multiple locations to establish secure connections with each other over a
public network such as the Internet.
Remote Access VPN allows Remote users to connect to the Headquarters through a secure tunnel that is
established over the Internet. The remote user is able to access internal, private web pages and perform various
IP-based network tasks.
There are two primary methods of deploying Remote Access VPN:
1. Remote Access IPSec VPN.
2. Remote Access Secure Sockets Layer (SSL) VPN.

What are the 3 protocols used in IPSec?

1. Authentication Header (AH).
2. Encapsulating Security Payload (ESP).
3. Internet Key Exchange (IKE).

Explain IPSec Protocol Headers?

1. Encapsulating Security Payload (ESP) - It is an IP-based protocol which uses protocol 50 for communication
between IPSec peers. ESP is used to protect the confidentiality, integrity and authenticity of the data and offers
anti-replay protection.
Drawback - ESP does not provide protection to the outer IP Header.

2. Authentication Header (AH) - It is also an IP-based protocol that uses protocol 51 for communication between
IPSec peers. AH is used to protect the integrity and authenticity of the data and offers anti-replay protection.
Unlike ESP, AH provides protection to the IP header also.
Drawback - AH does not provide confidentiality protection.

How ESP & AH provides anti-replay protection?

Both ESP and AH protocols provide anti-replay protection based on sequence numbers. The sender increments
the sequence number after each transmission, and the receiver checks the sequence number and rejects the
packet if it is out of sequence.

networkerinterview.net/entries/vpn/vpn-interview-questions-and-answers 2/9
7/1/24, 5:02 PM VPN Interview Questions and Answers | Networker Interview

What is IKE?
It is a hybrid protocol that implements Oakley and SKEME key exchanges inside the Internet Security
Association and Key Management Protocol (ISAKMP) framework. It defines the mechanism for creating and
exchanging keys. IKE derives authenticated keying material and negotiates SAs that are used for ESP and AH
protocols.

Which protocol does IKE use?

IKE uses UDP port 500.

Explain how IKE/ISAKMP Works?

IKE is a two-phase protocol:
Phase 1
IKE phase 1 negotiates the following:-
1. It protects the phase 1 communication itself (using crypto and hash algorithms).
2. It generates Session key using Diffie-Hellman groups.
3. Peers will authenticate each other using pre-shared, public key encryption, or digital signature.
4. It also protects the negotiation of phase 2 communication.

There are two modes in IKE phase 1:

Main mode - Total Six messages are exchanged in the main mode for establishing phase 1 SA.
Aggressive mode - It is faster than the main mode as only Three messages are exchanged in this mode to
establish phase 1 SA. It is faster but less secure.

At the end of phase 1, a bidirectional ISAKMP/IKE SA (phase 1 SA) is established for IKE communication.

Phase 2
IKE phase 2 protects the user data and establishes SA for IPSec.
There is one mode in IKE phase 2:
Quick mode - In this mode, Three messages are exchanged to establish the phase 2 IPSec SA.
At the end of phase 2 negotiations, two unidirectional IPSec SAs (Phase 2 SA) are established for user data—one
for sending and another for receiving encrypted data.

Explain the messages exchange between the peers in IKE/ISAKMP?

Phase 1 - Main Mode

MESSAGE 1: Initiator offers Policy proposal which includes encryption, authentication, hashing algorithms (like
AES or 3DES, PSK or PKI, MD5 or RSA).
MESSAGE 2: Responder presents policy acceptance (or not).
MESSAGE 3: Initiator sends the Diffie-Helman key and nonce.
MESSAGE 4: Responder sends the Diffie-Helman key and nonce.
MESSAGE 5: Initiator sends ID, preshare key or certificate exchange for authentication.
MESSAGE 6: Responder sends ID, preshare key or certificate exchange for authentication.
Only First Four messages were exchanged in clear text. After that, all messages are encrypted.

Phase 2 - Quick Mode

MESSAGE 7: Initiator sends Hash, IPSec Proposal, ID, nonce.

MESSAGE 8: Responder sends Hash, IPSec Proposal, ID, nonce.
MESSAGE 9: Initiator sends signature, hash, ID.
All messages in Quick mode are encrypted.

networkerinterview.net/entries/vpn/vpn-interview-questions-and-answers 3/9
7/1/24, 5:02 PM VPN Interview Questions and Answers | Networker Interview

What is Diffie-Hellman?
DH is a public-key cryptography protocol which allows two parties to establish a shared secret over an insecure
communications channel. Diffie-Hellman is used within IKE to establish session keys and is a component of
Oakley.

How Diffie-Hellman works?

Each side has a private key which is never passed and a Diffie-Hellman Key (Public Key used for encryption).
When both sides want to do a key exchange they send their Public Key to each other. for example Side A get the
Public Key of Side B, then using the RSA it creates a shared key which can only be opened on Side B with Side B's
Private Key So, even if somebody intercepts the shared key he will not be able to do reverse engineering to see it
as only the private key of Side B will be able to open it.

What are Security Associations?

The SAs define the protocols and algorithms to be applied to sensitive packets and specify the keying material to
be used by the two peers. SAs are unidirectional and are established per security protocol (AH or ESP).

What is Transform set?

An IKE transform set is a combination of security protocols and algorithms. During the IPsec SA negotiation, the
peers agree to use a particular transform set for protecting a particular data flow.

What are Crypto access lists?

Crypto access lists specify which IP traffic is protected by crypto and which traffic is not protected by crypto. To
protect IP traffic "permit" keyword is used in an access list. If the traffic is not to be protected then "deny"
keyword is used in the access list.

What is Crypto map?

Crypto map is used to pull together the various parts used to set up IPSec SAs including:
1. Which traffic should be protected by IPSec (crypto access list).
2. Where IPSec-protected traffic should be sent (remote IPSec peer).
3. What IPSec SA should be applied to this traffic (transform sets).
Multiple interfaces can share the same crypto map set in case we want to apply the same policy to multiple
interfaces.
If more than one crypto map is created for a given interface then use the sequence number of each map entry to
rank the map entries, the lower the seq-num argument the higher the priority.

How do you check the status of the tunnel’s phase 1 & 2?

Use following commands to check the status of tunnel phases:
Phase 1 - # show crypto isakmp sa
Phase 2 - # show crypto ipsec sa

What is IPsec Virtual Tunnel Interface?

IPSec VTI is the concept of using a dedicated IPsec interface called IPSec Virtual Tunnel Interface for highly
scalable IPSec-based VPNs. IPSec VTI provides a routable interface for terminating IPSec tunnels. VTI also
allows the encrypting of multicast traffic with IPSec.

What is the difference between Static Crypto Maps and Dynamic Crypto Maps?
Static Crypto Maps are used when peers are predetermined. It is basically used in IPSec site to site VPNs.
Dynamic crypto maps are used with networks where the peers are not always predetermined. It is basically used
in IPSec Remote Access VPNs.

networkerinterview.net/entries/vpn/vpn-interview-questions-and-answers 4/9
7/1/24, 5:02 PM VPN Interview Questions and Answers | Networker Interview

There are two types of IPSec VTI interfaces:

1. Static VTI (SVTI): This can be used for site-to-site IPsec-based VPNs.
2. Dynamic VTI (DVTI): DVTI replaces dynamic crypto maps. It can be used for remote-access VPNs.

What is Cisco Easy VPN?

Remote Access VPN, when implemented with IPsec is called Cisco Easy VPN. The Easy VPN is easy to set up,
with minimal configuration required at the remote client site. Cisco Easy VPN allows us to define centralized
security policies at the head-end VPN device (VPN Server) which are then pushed to the remote site VPN device
upon connection.

What is DMVPN?
DMVPN allows IPSec VPN networks to better scale hub-to-spoke and spoke-to-spoke topologies optimizing the
performance and reducing latency for communications between sites.
It offers the following benefits:
1. It Optimizes network performance.
2. It Reduces router configuration on the hub.
3. Support for dynamic routing protocols running over the DMVPN tunnels.
4. Support for multicast traffic from hub to spokes.
5. The capability of establishing direct spoke-to-spoke IPsec tunnels for communication between sites without
having the traffic to go through the hub.

What are the three phases of DMVPN?

Phase 1 - In phase 1 we use NHRP so that spokes can register themselves with the hub. Only Hub uses a
multipoint GRE interface, all spokes will be using regular point-to-point GRE tunnel interfaces which means that
there will be no direct spoke-to-spoke communication, all traffic has to go via the hub.
The only advantage of the phase I setup is the fact the hub router’s configuration is much simpler.
Summarization is possible in phase 1.

Phase 2 - In phase 2 all spokes routers also use multipoint GRE tunnels so we do have direct spoke to spoke
tunneling. When a spoke router wants to communicate to another spoke it will send an NHRP resolution request
to the hub to find the NBMA IP address of the other spoke. Summarization is not possible in phase 2.
Full Process:
1. Spoke 1 forwards a packet with a next hop which is another spoke (spoke 2). There is no NHRP map entry for
this spoke so an NHRP resolution request is sent to the hub.
2. The request from spoke 1 contains the tunnel IP address of the spoke 2 so the hub relays the request to spoke
2.
3. Spoke 2 receives the request, adds its own address mapping to it and sends it as an NHRP reply directly to
spoke 1.
4. Spoke 2 then sends its own NHRP resolution request to the hub that relays it to spoke 1.
5. Spoke 1 receives the request from spoke 2 via the hub and replies by adding its own mapping to it and sending
it directly to spoke 2.
Spoke to Spoke tunnel is established.

Phase 3 - In phase 3 NHRP redirect configured on the hub tells the initiator spoke to look for a better path to the
destination spoke. On receiving the NHRP redirect message the spokes communicate with each other over the
hub and they have their NHRP replies for the NHRP Resolution Requests that they sent out.
NHRP Shortcut configured on the spoke updates the CEF table. It basically changes the next-hop value for a

networkerinterview.net/entries/vpn/vpn-interview-questions-and-answers 5/9
7/1/24, 5:02 PM VPN Interview Questions and Answers | Networker Interview

remote spoke from the initial hub tunnel IP address to the NHRP resolved tunnel IP address of remote spoke.
Summarization is possible in phase 3.

Explain Next Hop Resolution Protocol (NHRP)?

It is a Layer 2 protocol which is used to map a tunnel IP address to an NBMA address. It functions similar to
ARP. Hub maintains the NHRP database of the public addresses for each spoke. When the spoke boots up, it
registers its real address to the hub and queries the NHRP database for real addresses of other spokes so that
they can build direct tunnels.

What is GRE?
Generic Routing Encapsulation Protocol is a tunneling protocol developed by Cisco designed to encapsulate IP
unicast, multicast and broadcast packets. It uses IP protocol number 47.

Name a major drawback of both GRE & L2TP?

No encryption.

What is SSL VPN? How it is different from IPSec VPN?

SSL VPN provides remote access connectivity from any internet enabled device through a standard web browser
and its native SSL encryption. It does not require any special client software at a remote site. In IPSec VPN
connection is initiated using a pre-installed VPN client software so it requires the installation of special client
software. In SSL VPN connection is initiated through a web browser so it does not requires any special purpose
VPN client software, only a web browser is required.

At which Layer does SSL VPN operate?

SSL is an Application layer (Layer 7) cryptographic protocol that provides secure communications over the
Internet for web browsing, e-mail and other traffic. It uses TCP port 443.

What are different SSL VPN Modes?

SSL VPN can be deployed in one of the following three modes:-
1. Clientless mode - It works at Layer 7, Clientless mode provides secure access to web resources and web-based
content. This mode can be used for accessing most content that you would expect to access in a web browser
such as Internet, databases and online tools. Clientless mode also supports the common Internet file system
(CIFS). Clientless mode is limited to web-based content only. It does not provide access to TCP connections such
as SSH or Telnet.

2. Thin client mode - It works at Layer 7 and is also known as port forwarding. Thin client mode provides remote
access to TCP-based services such as Telnet, Secure Shell (SSH), Simple Mail Transfer Protocol (SMTP), Internet
Message Access Protocol (IMAP) and Post Office Protocol (POP3) applications. Thin client is delivered via a Java
applet that is dynamically downloaded from the SSL VPN appliance upon session establishment.

3. Thick client mode - It works at Layer 3 and is also known as tunnel mode or full tunneling client. The thick
client mode provides extensive application support through dynamically downloaded SSL VPN Client software
or the Cisco AnyConnect VPN client software from the VPN server appliance. This mode delivers a lightweight,
centrally configured, and easy-to-support SSL VPN tunneling client that provides full network layer (Layer 3)
access to virtually any application.

Explain SSL Handshake?

1. The client initiates by sending a CLIENT-HELLO message which contains SSL version that the client supports,
in what order the client prefers the versions, Ciphersuits (Cryptographic Algorithms) supported by the client,
Random Number.

networkerinterview.net/entries/vpn/vpn-interview-questions-and-answers 6/9
7/1/24, 5:02 PM VPN Interview Questions and Answers | Networker Interview

2. The server will send back a SERVER-HELLO message Which contains Version Number (Server selects SSL
version that is supported by both the server and the client), Cipher Suits (selected by server the best cipher suite
version that is supported by both of them), Session ID, Random Data.

3. The server also sends PKI certificate for authenticating himself signed and verified by Certificate Authority
along with the public key for encryption.

4. The server will then send Server Hello Done indicating that the server has finished sending its hello message,
and is waiting for a response from the client.

5. Client will send its certificate if the server has also requested for client authentication in server hello message.

6. Client will send the Client Key Exchange message after calculating the premaster secret with the help of the
random values of both the server and the client. This message is sent by encrypting it with the server's public key
which was shared through the hello message.
The server will decrypt the premaster secret with its private key. Now both client and server will perform a series
of steps to generate session keys (symmetric) which will be used for encryption and decryption of data exchanges
during SSL session and also to verify its integrity.

7. Client will send CHANGE CIPHER SUITE message informing the server that future messages will be
encrypted using session key.

8. Client will send CLIENT FINISH (DONE) message indicating that the client is done.

9. The server will also send CHANGE CIPHER SUITE message.

10. Server will also send SERVER FINISH (DONE) message.

Buy VPN & ASA Firewall Interview Questions and Answers Pdf - 3 $

Click for Preview

Go Back

16 comments Posted in VPN Tags ipsec vpn interview ssl vpn dmvpn vpn tunnel site to site vpn remote access vpn gre cryptomap encryption diffie hellman isakmp vpn notes

Share   

vinayak vavhal
1

Thanks a ton Broh, you have saved the time and resources of our community.

Reply

networkerinterview.net/entries/vpn/vpn-interview-questions-and-answers 7/9