Exam 156-585 All QuestionsBrowse all questions from this exam
Go to Exam
Question 27

Joey is configuring a site-to-site VPN with his business partner. On Joey’s site he has a Check Point R80.10 Gateway and his partner uses Cisco ASA 5540 as a gateway.

Joey’s VPN domain on the Check Point Gateway object is manually configured with a group object that contains two network objects:

VPN_Domain3 = 192.168.14.0/24 -

VPN_Domain4 = 192.168.15.0/24 -

Partner’s site ACL as viewed from “show run”

access-list JOEY-VPN extended permit ip 172.26.251.0 255.255.255.0 192.168.14.0 255.255.255.0 access-list JOEY-VPN extended permit ip 172.26.251.0 255.255.255.0 192.168.15.0 255.255.255.0

When they try to establish VPN tunnel, it fails. What is the most likely cause of the failure given the information provided?

    Correct Answer: B

    The most likely cause of the VPN tunnel failure is that the Check Point gateway is presenting its encryption domain as a single summarized subnet 192.168.14.0/23. In contrast, the Cisco ASA 5540 expects two distinct subnets, 192.168.14.0/24 and 192.168.15.0/24. This mismatch in the definition of the VPN domains would lead the Cisco ASA to reject the Phase 2 negotiation.

Discussion
SamoojOption: B

sk108600 VPN Site-to-Site with 3rd party, Scenario 1 During IKE Quick Mode negotiation, the IP addresses, which define the VPN tunnel (also known as IPSec IDs, or traffic selectors) are negotiated. The IP addresses can be a set of discrete IP addresses, or a subnet. When negotiating a VPN tunnel between Check Point Security Gateway and certain 3rd-party devices, IKE Quick Mode may fail, if the subnets are defined differently on each end of the VPN tunnel. One reason is that Check Point Security Gateway dynamically supernets subnets to reduce the amount of SA overhead.