An IPsec tunnel is established on an SRX Series Gateway on an interface whose IP address was obtained using
DHCP. Which two statements are true? (Choose two.)
A.
Only main mode can be used for IKE negotiation.
B.
A local-identity must be defined.
C.
It must be the initiator for IKE.
D.
A remote-identity must be defined.
Answer: B C
IKE aggressive mode is used when one of the tunnel peers has a dynamic IP address that could be a remote end user dialing into the Internet, or a remote site using DHCP to acquire an IP address. (Main mode cannot be used because the first two messages validate peer IP addresses.
In the case of a dynamic host address, the peer cannot preconfigure the address.)
Phase 1 aggressive mode must initiate by the device with the dynamic IP address.
The first two messages negotiate policy and exchange DH public values and nonces.
In addition, the second message authenticates the responder; the ID hash is compared with the locally configured peer ID.
The third message authenticates the initiator and provides a proof of participation in the exchange.
0
0