Refer to the exhibits.
Which two statements about the IPsec VPN configuration and the status of the IPsec VPN tunnel are true? (Choose two.)
nse7_sdw-70 Exam QuestionsBrowse all questions from this exam
nse7_sdw-70 Exam - Question 21
Show AnswerHide Answer
Correct Answer: ABC
The IPsec VPN configuration does not install static routes for remote protected networks in the routing table because the 'add-route' parameter is set to 'disable'. Additionally, the phase 1 configuration supports the network-overlay setting since it is using IKE version 2. Even though the network-overlay setting is not explicitly enabled, the usage of IKE version 2 supports the possibility of configuring it.
Discussion
9 commentskarak008Options: AB
Jun 12, 2023D is false C is false because there is no auto-discovery-receiver or sender so ADVPN is not configured Has to be A and B
furymistrz
Aug 8, 2023Agree. And answer A is correct cause add-route is disabled, and B is correct as configuration "SUPPORTS" the network-overlay settings as it's IKEv2.
adityad
Dec 30, 2023Yeah, this is HUB config. "net-device" is disabled , so ADVPN shortcuts wont work. The exhibit is trying to trick us by showing the logs of a child dial-up tunnel on the HUB, instead of a shortcut. The study guide points out on page 282 to not get confused.
ilbartonicolaOptions: AB
Aug 16, 2023A is correct cause add-route is disabled B is correct as configuration "SUPPORTS" the network-overlay settings as it's IKEv2, dont ask that is enable only if it supports C is false because there is no auto-discovery-receiver or sender so ADVPN is not configured D is false because DPD on-demand is configured
JABarracusOptions: AC
Jun 14, 2023B is false because "set network-overlay enable" is not configured in the phase1 D is false because DPD on-demand is configured
draven76Options: AB
Jun 18, 2023The question asks if the config SUPPORTS (not if it's already enabled) "network-overlay" setting. It's true because the phase1-interface is configured as IKE v2 (IKE v1 doesn't, you can test in any Fortigate just editing a fake phase1-interface). C and D are false (read other comments), so it's A & B.
themageofsecOptions: BC
Jul 4, 2023DPD is enable such as "on demand". And instead in the config contains "add-route disable", in the diagnose output we can see the dst selector different of "0.0.0.0-255.255.255.255" and in the line above, the parameter "add-route".
DogbertOptions: AC
Aug 3, 2023D is configured and B is not enabled so AC
charrucoOptions: AB
Oct 31, 2023A, B are correct
effmanOptions: AC
Nov 21, 2023If you look at the diagnose vpn tunnel list command output you will notice the line with parent=T_INET_1_0 which means this is a dynamic tunnel over that parent tunnel. Also D is clearly false and B is not seen in the configuration (unless this is a tricky question meaning B could theoretically be enabled).
KavinTOptions: AB
Mar 10, 2024A & B are correct. No presence of AD VPN config