300-730 Implementing Secure Solutions with Virtual Private Networks (SVPN) Questions and Answers

DMVPN disables the EIRGP next-hop-self with "no ip next-hop-self eigrp xxx" in DMVPN phase 2, and to go from Phase 2 to 3 you need use the NHRP protocol, and again enable EIRGP next-hop-self with "ip next-hop-self eigrp 134" under the tunnel interface https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-dmvpn.html#GUID-BF561439-BCC0-4AAF-80D9-1F7876CB7B81

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/vpn-remote-access.html The IPsec-proposal configuration option is used to specify the encryption, integrity, and authentication algorithms that will be used in the IPsec protocol. In the case of IKEv2-based VPN, this option is used to configure the IPsec security associations (SA) that will be established between the VPN client and the VPN gateway during IKEv2 negotiation. IKEv2 uses IPsec as its underlying encryption and authentication protocol, so the IPsec-proposal configuration is essential to establishing a secure VPN tunnel using IKEv2

On a FlexVPN hub-and-spoke topology where spoke-to-spoke tunnels are not allowed, the command that is needed for the hub to be able to terminate FlexVPN tunnels is interface virtual-template. The interface virtual-template command is used to configure a virtual template interface which provides a secure tunnel for FlexVPN connections. The other commands listed - interface virtual-access, ip nhrp redirect, and interface tunnel - are not related to FlexVPN and are not used to terminate FlexVPN tunnels.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/216276-configure-route-based-site-to-site-vpn-t.html#anc6

https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/111976-dmvpn-troubleshoot-00.html

According to the Implementing Secure Solutions with Virtual Private Networks (SVPN) documents and learning resources available at cisco.com, the two features that provide headend resiliency for Cisco AnyConnect clients are:

• AnyConnect Backup Servers: This feature allows the AnyConnect client to automatically connect to a backup server in case the primary server is unreachable or fails. The backup server list is configured on the ASA or IOS headend and pushed to the client during the VPN connection establishment. The client can also manually select a backup server from the list if needed. This feature enhances the availability and reliability of the VPN service for the clients12.
• ASA failover: This feature enables two identical ASAs to be paired together as an active/standby or active/active pair. The ASAs synchronize their configuration and state information and monitor each other’s health. If the active ASA fails or becomes unreachable, the standby ASA takes over the traffic and VPN sessions without any disruption for the clients. This feature provides high availability and redundancy for the VPN headend34.

1: AnyConnect Backup Servers 2: Redundancy options for IOS Headend for AnyConnect Clients 3: ASA Failover 4: AnyConnect Implementation and Performance/Scaling Reference for COVID-19 Preparation

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/webvpn.html

https://community.cisco.com/t5/vpn/anyconnect-service-port-not-enabled/td-p/2968124

https://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html

HSRP (Hot Standby Router Protocol). HSRP is a Cisco proprietary protocol that provides stateful failover for IPsec virtual private networks (VPNs). It is used to create a virtual router in order to provide redundancy in the event of an IPsec VPN failure. HSRP works by assigning a single primary router to manage the connection and forwarding traffic to the secondary router if the primary router fails.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-state-fail-ipsec.html

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/webvpn-configure-policy-groups.html says clearly: In group-policy webvpn configuration mode, you can specify (list of things, including url-list).

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

The user group is used in conjunction with Host Address to form a group-based URL. If you specify the Primary Protocol as IPsec, the User Group must be the exact name of the connection profile (tunnel group). For SSL, the user group is the group-url of the connection profile. https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html#ID-1430-0000026c

KS (key server) is ‘caretaker’ of the GM group. Group registrations and authentication of GMs is taken care of by KS server. Any GM who wants to join the group is required to be successfully authenticated in the group and sends encryption keys and policy to be used within the group.

===

https://ipwithease.com/introduction-to-getvpn/

The IKEv2 CREATE_CHILD_SA packet is used to establish a new security association (SA) between two peers. This packet contains the details of the exchange, including the traffic selectors, the cryptographic algorithms and keys to be used, and any other relevant information

HTTP (Hypertext Transfer Protocol) is used for transferring web resources, such as web pages and HTML documents, across the internet. CIFS (Common Internet File System) is used for sharing files and printers between computers on a network. ICA (Citrix), VNC (Virtual Network Computing), and RDP (Remote Desktop Protocol) are not enabled by default on the Cisco ASA Clientless SSL VPN portal.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/vpn/asa-94-vpn-config/webvpn-configure-gateway.html

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116528-config-flexvpn-00.html

When you configure other group policies, any attribute that you do not explicitly specify takes its value from the default group policy. To view the default group policy. https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/vpngrp.html

https://learningnetwork.cisco.com/s/question/0D53i00000Q4COCCA3/anyconnect-ssl-vpn

The DMVPN-Tunnel Health Monitoring and Recovery (Backup NHS) feature allows you to control the number of connections to the Dynamic Multipoint Virtual Private Network (DMVPN) hub and allows you to switch to alternate hubs in case of a connection failure to the primary hubs. https://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-2mt/sec-conn-dmvpn-backup-nhs.html#:~:text=The%20DMVPN%2DTunnel%20Health%20Monitoring%20and%20Recovery%20(Backup%20NHS),failure%20to%20the%20primary%20hubs.

Backup NHS, or Next Hop Server, is a feature of DMVPN Phase 3 that allows a spoke router to switch to an alternate hub when the primary hub is unreachable. This is accomplished by using a secondary IP address for the hub router, which is used as the next hop for any traffic sent by the spoke router to the hub.

The correct answer is D. IKEv2 profile. A FlexVPN tunnel requires an IKEv2 profile to define the parameters for the IKEv2 negotiation and the IPsec security association. The IKEv2 profile references the IKEv2 keyring, the authentication method, the identity of the peers, and other options. The IKEv2 profile is then applied to a virtual tunnel interface (VTI) or a dynamic virtual tunnel interface (DVTI) to protect the tunnel with IPsec12. An EAP configuration is used for authentication with Extensible Authentication Protocol (EAP), which is optional for FlexVPN3. A multipoint GRE tunnel interface is used for DMVPN, not FlexVPN. An IKEv1 policy is used for IKEv1, not IKEv2, which is the protocol for FlexVPN.

https://integratingit.wordpress.com/2018/03/31/configuring-flexvpn-external-aaa-with-radius/

interface Tunnel0

ip address negotiated

tunnel source GigabitEthernet1

tunnel mode ipsec ipv4

tunnel destination 1.1.1.5

tunnel protection ipsec profile IPSEC_PROFILE

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/vpn-anyconnect.html

Configure Dead Peer Detection Dead Peer Detection (DPD) ensures that the ASA (gateway) or the client can quickly detect a condition where the peer is not responding, and the connection has failed. To enable dead peer detection (DPD) and set the frequency with which either the AnyConnect client or the ASA gateway performs DPD, do the following: Before you begin This feature applies to connectivity between the ASA gateway and the AnyConnect SSL VPN Client only. It does not work with IPsec since DPD is based on the standards implementation that does not allow padding, and CLientless SSL VPN is not supported. If you enable DTLS, enable Dead Peer Detection (DPD) also. DPD enables a failed DTLS connection to fallback to TLS. Otherwise, the connection terminates.

https://www.networkworld.com/article/2288666/chapter-4--common-ipsec-vpn-issues.html