Check Point Certified Security Administrator (CCSA) R80 — Question 132

Your manager requires you to setup a VPN to a new business partner site. The administrator from the partner site gives you his VPN settings and you notice that he setup AES 128 for IKE phase 1 and AES 256 for IKE phase 2. Why is this a problematic setup?

Answer options

• A. The two algorithms do not have the same key length and so don't work together. You will get the error ג€¦ No proposal chosenג€¦
• B. All is fine as the longest key length has been chosen for encrypting the data and a shorter key length for higher performance for setting up the tunnel.
• C. Only 128 bit keys are used for phase 1 keys which are protecting phase 2, so the longer key length in phase 2 only costs performance and does not add security due to a shorter key in phase 1.
• D. All is fine and can be used as is.

Correct answer: C

Explanation

The correct answer is C because using a shorter key length in phase 1 undermines the security benefits of a longer key in phase 2. While the phase 2 key may provide stronger encryption, it is not effective if phase 1 is less secure. Options A and B are incorrect due to misinterpretations of key length compatibility and security effectiveness, while D mistakenly suggests that the configuration is acceptable.