Which two examples of transform sets are contained in the IKEv2 default proposal? (Choose two.)
A. aes-cbc-192, sha256, 14
B. 3des, md5, 5
C. 3des, sha1, 1
D. aes-cbc-128, sha, 5
Which two examples of transform sets are contained in the IKEv2 default proposal? (Choose two.)
A. aes-cbc-192, sha256, 14
B. 3des, md5, 5
C. 3des, sha1, 1
D. aes-cbc-128, sha, 5
The default IKEv2 proposal is used in the default IKEv2 policy.
Perform this task to configure the proposals manually if you do not want to use the default proposal. The default IKEv2 proposal requires no configuration and is a collection of commonly used transforms types, which are as follows:
encryption aes-cbc-128 3des
integrity sha md5
group 5 2
https://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-1mt/Configuring_Internet_Key_Exchange_Version_2.html
Weird question, since DH group 14 is not default either.
Maybe in a outdated IOS is 3DES part of ?
Router#show crypto ikev2 proposal
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
Correct: AD
This is my fresh unconfigured router. Show me where do you see 3DES?
R1#show crypto ikev2 proposal
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
R1#
and where did you see DH 14 ?
@AK,
The link you reference is not using the default proposal. It clearly stated it is using two proposal examples. “proposal-1” and “proposal-2” both are using custom encryption and integrity.
Device(config)# crypto ikev2 proposal proposal-1
Device(config-ikev2-proposal)# encryption aes-cbc-128 aes-cbc-196
Device(config-ikev2-proposal)# integrity sha1 sha256
Device(config-ikev2-proposal)# group 14 16
Device(config)# crypto ikev2 proposal proposal-2
Device(config-ikev2-proposal)# encryption aes-cbc-196 aes-cbc-128
Device(config-ikev2-proposal)# integrity sha256 sha1
Device(config-ikev2-proposal)# group 16 14
This cisco documentation will show you the default and why B and D are correct. I hope this helps.
https://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-1mt/Configuring_Internet_Key_Exchange_Version_2.html
— From Cisco document —
Configuring the IKEv2 Proposal
Note
The default IKEv2 proposal is used in the default IKEv2 policy.
Perform this task to configure the proposals manually if you do not want to use the default proposal. The default IKEv2 proposal requires no configuration and is a collection of commonly used transforms types, which are as follows:
encryption aes-cbc-128 3des
integrity sha md5
group 5 2
The transform types shown below translate to the transform combinations in the following order of priority:
aes-cbc-128, sha, 5
aes-cbc-128, sha, 2
aes-cbc-128, md5, 5
aes-cbc-128, md5, 2
3des, sha, 5
3des, sha, 2
3des, md5, 5
3des, md5, 2
something is not right with this question 3des is not in default ikev2 proposal
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-3s/asr900/16-8-1/b-sec-ipsec-xe-16-8-900/configuring_ikev1_and_ikev2_transform_sets.pdf
Router# show crypto ikev2 proposal
IKEv2 proposal: 30
Encryption : 3DES
Integrity : SHA96
PRF : SHA1
DH Group : DH_GROUP_2048_MODP/Group 14
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
IKEv2 proposal: prop1
Encryption : AES-CBC-128
Integrity : MD596
PRF : MD5
DH Group : DH_GROUP_2048_MODP/Group 14
I dont know why it is B in the answer, because I dont see any 3des in the default TS.