Refer to the exhibits.
Exhibit A -
Exhibit B -
Exhibit C -
A customer is trying to set up a VPN with a FortiGate, but they do not have a backup of the configuration. Output during a troubleshooting session is shown in the exhibits A and B and a baseline VPN configuration is shown in Exhibit C.
Referring to the exhibits, which configuration will restore VPN connectivity?
The configuration to restore VPN connectivity should accommodate the specific settings observed in the exhibits. Looking at Exhibit A and Exhibit B, we can see various parameters, such as the peer ID, the proposal 'aes256-sha256', and the necessity for NPU (Network Processing Unit) offloading indicated by 'npu_flag=03'. The configuration in Exhibit D matches these requirements, including NPU offloading and the correct use of 'aes256-sha256'. Therefore, the correct answer is the configuration that aligns with these settings, which is provided in option D.
NPU_flag 03 both ingress and egress will be offloaded
D is correct
As Noidea and pwatchpk
NPU_Flag 03
Correct answer is C
Correct answer is C
The output in Exhibit A shows that the VPN tunnel is not established because the peer IP address is incorrect. The output in Exhibit B shows that the peer IP address is 192.168.1.100, but the baseline VPN configuration in Exhibit C shows that the peer IP address should be 192.168.1.101. To restore VPN connectivity, you need to change the peer IP address in the VPN tunnel configuration to 192.168.1.101. The correct configuration is shown below: config vpn ipsec phase1-interface edit "wan" set peer-ip 192.168.1.101 set peer-id 192.168.1.101 set dhgrp 1 set auth-mode psk set psk SECRET_PSK next end Option A is incorrect because it does not change the peer IP address. Option B is incorrect because it changes the peer IP address to 192.168.1.100, which is the incorrect IP address. Option D is incorrect because it does not include the necessary configuration for the VPN tunnel
my man, where do you see those addresses?
npu_flag=03. D is correct
It is more likely to be B as the peer ID in exhibit A states CN = gftdc01.example.com with peer-id-auth: yes, so it requires this specific peer ID, and in A, C, D the peer ID is "vpn-hub02-1_peer", which means the peer ID will be wrong. A cannot be because its IKEv1. C has disabled offloading, which does not affect the tunnel status but is not the same as the exhibit B, so cannot be correct based on that. D has everything correct, but using digital signature for auth, cannot verify this on any of the outputs and as the default auth-method is PSK, and they do not have a config backup, so no certificate to use if it was the case, makes D wrong too. B, based on the above, and the default for PSK setting for peer-id is accept all, is the only plausible option.