NSE 8 – Network Security Expert (811) — Question 20

A FortiGate is used as a VPN hub for a number of remote spoke VPN units (Group A) spokes using a phase 1 main mode dial-up tunnel and pre-shared keys. You are asked to establish VPN connectivity for a newly acquired organization's sites for which new devices will be provisioned Group B spokes.
Both existing Group A and new Group B spoke units are dynamically addressed through a single public IP Address on the hub. You are asked to ensure that spokes from Group B have different access permissions than the existing VPN spokes units Group A.
Which two solutions meet the requirements for the new spoke group? (Choose two.)

Answer options

• A. Implement a new phase 1 dial-up main mode tunnel with a different pre-shared key than the Group A spokes.
• B. Implement a new phase 1 dial-up main mode tunnel with certificate authentication.
• C. Implement a new phase 1 dial-up main mode tunnel with pre-shared keys and XAuth.
• D. Implement separate phase 1 dial-up aggressive mode tunnels with a distinct peer ID.

Correct answer: C, D

Explanation

Option C is correct because implementing a new phase 1 dial-up main mode tunnel with pre-shared keys and XAuth allows for authentication and differentiated access permissions for Group B spokes. Option D is also correct as separate phase 1 aggressive mode tunnels with distinct peer IDs can provide unique identification for each spoke, enabling different access controls. Options A and B do not sufficiently ensure the differentiated access permissions required for Group B spokes.