Refer to the Exhibit.

Referring to the exhibit, which statement is correct about the IPsec configuration?

Refer to the Exhibit.

Referring to the exhibit, you are setting up the hub in a hub-and-spoke IPsec VPN. You have
verified that all configured parameters are correct at all sites, but your IPsec VPN is not
establishing to both sites.

Which configuration parameter is missing at the hub to complete the configuration?

— Exhibit –-
security {
ike {
policy IKE-STANDARD {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text “XXXXXX”;
}
gateway GW-HUB {
ike-policy IKE-STANDARD;
dynamic hostname site1.company.com;
external-interface ge-0/0/0.0;
}
}
ipsec {
policy IPSEC-STANDARD {
proposal-set standard;
}

vpn VPN-HUB {
bind-interface st0.0;
ike {
gateway GW-HUB;
ipsec-policy IPSEC-STANDARD;
}
}
}
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ping;
ike;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone trust {
system-services {
ping;
}
interfaces {
ge-0/0/1.0;
}

}
}
}

— Exhibit –-
Refer to the Exhibit.
You are implementing a new route-based IPsec VPN on an SRX Series device and the tunnel will
not establish.
What needs to be modified in the configuration shown in the exhibit?

— Exhibit –-
user@host> show security ike security-associations 1.1.1.2
Index Remote Address State Initiator cookie Responder cookie Mode
8 1.1.1.2 UP 3a895f8a9f620198 9040753e66d700bb Main
user@host> show security ipsec security-associations
Total active tunnels: 0
user@host> show route
inet.0: 7 destinations, 7 routes (6 active, 0 holddown, 1 hidden)
+ = Active Route, – = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:25

> to 2.2.2.1 via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:00:25
> via ge-0/0/0.0
2.2.2.2/32 *[Local/0] 00:00:25
Local via ge-0/0/0.0
10.1.1.0/30 *[Direct/0] 00:06:06
> via st0.0
10.1.1.1/32 *[Local/0] 00:06:06
Local via st0.0
10.12.1.0/24 *[Direct/0] 00:06:06
> via ge-0/0/1.0
10.12.1.1/32 *[Local/0] 00:06:06
Local via ge-0/0/1.0
10.128.64.0/24 *[Static/5] 00:00:25
> to 2.2.2.1 via ge-0/0/0.0
user@host> show security policies
Default policy: deny-all
From zone: trust, To zone: vpn
Policy: permit-all, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit

— Exhibit –-
Refer to the Exhibit.
You have created an IPsec VPN on an SRX Series device. You believe the tunnel is configured

correctly, but traffic from a host with the IP address of 10.12.1.10 cannot reach a remote device
over the tunnel with an IP address of 10.128.64.132. The ge-0/0/1.0 interface is in the trust zone
and the st0.0 interface is in the vpn zone. The output of four show commands is shown in the
exhibit.
What is the configuration problem with the tunnel?

— Exhibit –-
user@host> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<131073 ESP:3des/sha1 ac23df79 2532/ unlim – root 4500 1.1.1.1
>131073 ESP:3des/sha1 cbc9281a 2532/ unlim – root 4500 1.1.1.1
user@host> show security ipsec security-associations detail
Virtual-system: root
Local Gateway: 1.0.0.1, Remote Gateway: 1.1.1.1
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Direction: inbound, SPI: ac23df79, AUX-SPI: 0

, VPN Monitoring: -Hard lifetime. Expires in 3186 seconds
Lifesize Remaining: Unlimited
Soft lifetime. Expires in 2578 seconds
Mode. Tunnel, Type. dynamic, State. installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service. counter-based enabled, Replay window size. 64
Direction: outbound, SPI: cbc9281a, AUX-SPI: 0
, VPN Monitoring: -Hard lifetime. Expires in 3186 seconds
Lifesize Remaining: Unlimited
Soft lifetime. Expires in 2578 seconds
Mode. Tunnel, Type. dynamic, State. installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service. counter-based enabled, Replay window size. 64

— Exhibit –-
Refer to the Exhibit.
The exhibit shows output from two show commands.
What are two conclusions about the VPN tunnel from the output? (Choose two.)

Refer to the Exhibit.

Server A is communicating with Server B directly over the Internet. The servers now must begin
exchanging additional information through an unencrypted protocol. To protect this new data
exchange, you want to establish a VPN tunnel between the two sites that will encrypt just the
unencrypted data while leaving the existing communications directly over the Internet.
Which statement would achieve the desired results?

— Exhibit –-
user@host# set interfaces ge-0/0/5 gigether-options redundant-parent reth1
user@host# set interfaces ge-5/0/5 gigether-options redundant-parent reth1
user@host# set interfaces reth1.0 family inet address 192.168.1.100/30

user@host# commit
[edit interfaces reth1]
‘unit 0’
reth1 needs to be associated with a non-zero redundancy-group
error: configuration check-out failed

— Exhibit –-
Refer to the Exhibit.
Referring to the exhibit, you have built a chassis cluster, set up a reth, and put interfaces into the
reth. However, when you try to commit the configuration, you receive the error shown in the
exhibit.
Which configuration command will correct this error?

Refer to the Exhibit.

Referring to the exhibit, failover to Node 0 occurred for Redundancy Group 2 because of an
interface failure. The interface has since been restored, but Node 0 is still the primary node for
Redundancy Group 2.
Which two actions will restore Node 1 as the primary node for Redundancy Group 2? (Choose
two.)

— Exhibit –-

user@host# show chassis cluster
reth-count 2;
redundancy-group 1 {
node 0 priority 200;
node 1 priority 100;
interface-monitor {
ge-0/0/5 weight 85;
ge-0/0/6 weight 85;
ge-0/0/7 weight 85;
ge-0/0/8 weight 85;
ge-5/0/5 weight 85;
ge-5/0/6 weight 85;

ge-5/0/7 weight 85;
ge-5/0/8 weight 85;
}
}

— Exhibit –-

Refer to the Exhibit.
Referring to the exhibit, you have two SRX Series devices in a chassis cluster, and Node 0 is
currently the primary node. You want to ensure that traffic using those interfaces fails over to Node
1 if one interface goes down.
Which configuration change should be made to ensure failover to Node 1?

— Exhibit –-

user@host# show chassis cluster
reth-count 2;
redundancy-group 1 {
node 0 priority 200;
node 1 priority 100;
interface-monitor {
ge-0/0/5 weight 85;
ge-0/0/6 weight 85;

ge-0/0/7 weight 85;
ge-0/0/8 weight 85;
ge-5/0/5 weight 85;
ge-5/0/6 weight 85;
ge-5/0/7 weight 85;
ge-5/0/8 weight 85;
}
}

— Exhibit –-
Refer to the Exhibit.
Referring to the exhibit, you have two SRX Series devices in a chassis cluster, and Node 0 is
currently the primary node. You want to ensure that traffic, using those interfaces, fails over to
Node 1 when all interfaces go down.
Which configuration change should be made to ensure failover to Node 1?