While a configuration audit is performed on a router, the set session-key command is found under a crypto map applied to a WAN interface. Which three statements bout command are true? (Choose 3)
A. This command sets a peer authentication string because the IPsec peer does not support automatic mutual authentication and a manual method is required
B. When configuring the Crypto map, (ipsec-manual) must be defined as part of the parameters
C. This command is used to encrypt traffic to another device which does not support internet key Exchange
D. Another way of overcoming this issue is to use the crypto isakmp peer address command with an all zeros wildcard address and mas combination
E. Both peers must be configured for manual peer authentication for this configuration to work
F. This command is used to manually configure an IPsec SA: two entries are needed on each side to encrypt and decrypt traffic over the tunnel
G. this command is used to manually configure an IPsec SA only one entry are needed on each site to encrypt and decrypt traffic over the tunnel
B C F
Manual keying is usually only necessary when a Cisco device is configured to encrypt traffic to another vendor’s device which does not support Internet Key Exchange (IKE).
crypto map testcase 8 ipsec-manual
set peer 11.11.11.12
set session-key inbound esp 1001 cipher 1234abcd1234abcd authenticator 20
set session-key outbound esp 1000 cipher abcd1234abcd1234 authenticator 20
set transform-set encrypt-des
match address 100
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14140-manual.html
C is an absolute TRUE statement (based on the link stated by Lblc – word for word), and must be chosen over E. Even though E sounds like a true statement, I would think however that we can have one peer be IKE enabled and the other peer set manually (although I have not tested this), so I would not choose E.