crypto gdoi group gdoi_group
identity number 1234
server local
sa receive-only
sa ipsec 1
profile gdoi-p
match address ipv4 120
Which statement about the above configuration is true?
A.
The key server instructs the DMVPN spoke to install SAs outbound only.
B.
The key server instructs the GDOI group to install SAs inbound only.
C.
The key server instructs the DMVPN hub to install SAs outbound only.
D.
The key server instructs the GDOI spoke to install SAs inbound only.
Explanation:
“Receive only SA Feature
Receive only SA feature is enabled on the Key Server configuration. This enables the SAs to be installed in the inbound direction on all the Group Members. Therefore traffic leaving the GMs will not be encrypted. The GM will decrypt the traffic if it comes encrypted. The incoming traffic will be accepted even if it is not encrypted.
This can be useful when the GETVPN is being enabled on an existing production network. By configuring receive only mode, the deployment can be validated without encrypting traffic. It also helps to deploy the GETVPN on all the potential locations before the encryption is tuned on. Once all the control plane of GETVPN is working satisfactorily and all the GMs are configured with GETVPN, encryption can be enabled by disabling this feature on the Key Server side.”
– http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07_554713.html
0
0