Implementing and Operating Cisco Security Core Technologies (SCOR) — Question 277

During a recent security audit, a Cisco IOS router with a working IPSEC configuration using IKEv1 was flagged for using a wildcard mask with the crypto isakmp key command. The VPN peer is a SOHO router with a dynamically assigned IP address. Dynamic DNS has been configured on the SOHO router to map the dynamic IP address to the host name of vpn.sohoroutercompany.com. In addition to the command crypto isakmp key Cisc123456789 hostname vpn.sohoroutercompany.com, what other two commands are now required on the Cisco IOS router far the VPN to continue to function after the wildcard command is removed? (Choose two.)

Answer options

• A. ip host vpn.sohoroutercompany.com <VPN Peer IP Address>
• B. crypto isakmp identity hostname
• C. Add the dynamic keyword to the existing crypto map command
• D. fqdn vpn.sohoroutercompany.com <VPN Peer IP Address>
• E. ip name-server <DNS Server IP Address>

Correct answer: B, E

Explanation

The command 'crypto isakmp identity hostname' ensures that the router identifies itself using the configured hostname, which is essential for proper communication with the dynamic peer. The 'ip name-server <DNS Server IP Address>' command is necessary for the router to resolve the hostname to the dynamic IP address, enabling continued VPN functionality. The other options do not provide the necessary configuration to handle the dynamic nature of the VPN peer's address.