Which two possible issues are true?

Refer to the exhibit.

R3

ip vrf mgmt

!

crypto keyring CCIE vrf mgmt

pre-shared-key address 0.0.0.0 0.0.0.0 key cisco

!

crypto isakmp policy 33

encr 3des

authentication pre-share

group 2

lifetime 600

!

crypto ipsec transform-set site_ab esp-aes-256 esp-sha-hmac

mode tunnel

!

crypto ipsec profile site_a

set security-association lifetime seconds 600

set transform-set site_ab

!

crypto gdoi group group_a

identity number 100

server local

rekey algorithm aes 256

rekey lifetime seconds 300

rekey retransmit 10 number 3

rekey authentication mypubkey rsa cciekey

rekey transport unicast

sa ipsec 1

profile site_a

match address ipv4 site_a

replay counter window-size 64

no tag

address ipv4 10.1.20.3

!

interface GigabitEthernet3

ip address 10.1.20.3 255.255.255.0

!

ip access-list extended site_a

permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

R3 is the key server in a GETVPN VRF-Aware implementation. the group members for the site a register with key server via interface address 10.1.20. 3/24 in the management VRF "mgmt". The GROUP ID for the site a is 100 to retrieve group policy and keys from the key server.

The traffic to be encrypted by the site a group members is between 192.186.4.0/24 and 192.186.5.0/24. The preshared key used by the group members to authenticate with the key server is "cisco”. It has bee reported that group members cannot perform encryption for the traffic defined in the group policy of site a.

Which two possible issues are true? (Choose two)
A . The registration interface is not part of management VRF "mgmt”
B . incorrect encryption traffic defined in the group policy
C . incorrect encryption in ISAKMP policy
D . incorrect password in the keyring configuration
E . The GDOI group has an incorrect local server address
F . incorrect security-association time in the IPsec profile


View Answer

Answer: AB