JNCIS-ENT: Juniper Networks Certified Specialist – Enterprise Routing and Switching (2022) — Question 24

You need to secure communications from a mobile command center which uses a 5G mobile ISP behind CGNAT to an SRX Series Firewall at headquarters.
Which two actions should be performed on the SRX Series Firewall in this scenario? (Choose two.)

Answer options

• A. Configure the IPsec VPN to use NAT-T.
• B. Configure the IPsec VPN to use IKEv1 aggressive mode.
• C. Configure the IPsec VPN to use IKEv2 aggressive mode.
• D. Configure the IPsec VPN to use DPD.

Correct answer: A, D

Explanation

Configuring the IPsec VPN to use NAT-T (Option A) is necessary to accommodate NAT environments like CGNAT, ensuring that packets can traverse NAT devices. DPD (Option D) helps in maintaining the VPN connection by detecting dead peers, which is also essential in a dynamic mobile environment. Options B and C focus on IKEv1 and IKEv2 aggressive modes, which are not specifically tailored for NAT traversal concerns and do not address the need for communication stability in this scenario.