You are asked to implement a monitoring feature that periodically verifies that the data plane is working across your IPsec VPN. Which configuration will accomplish this task?
A. [edit security ike] user@srx# show policy policy-1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$URiqPFnCBIc5QIcylLXUjH"; ## SECRET-DATA
}
gateway my-gateway {
ike-policy policy-1;
address 10.10.10.2;
dead-peer-detection;
external-interface ge-0/0/1;
}
B. [edit security ipsec] user@srx# show policy policy-1 {
proposal-set standard;
}
vpn my-vpn {
bind-interface st0.0;
dead-peer-detection;
ike {
gateway my-gateway;
ipsec-policy policy-1;
}
establish-tunnels immediately;
}
C. [edit security ike] user@srx# show
policy policy-1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$URiqPFnCBIc5QIcylLXUjH"; ## SECRET-DATA
}
gateway my-gateway {
ike-policy policy-1;
address 10.10.10.2;
vpn-monitor;
external-interface ge-0/0/1;
}
D. [edit security ipsec] user@srx# show policy policy-1 {
proposal-set standard;
}
vpn my-vpn {
bind-interface st0.0;
vpn-monitor;
ike {
gateway my-gateway;
ipsec-policy policy-1;
}
establish-tunnels immediately;
}
Your company is using a dynamic VPN configuration on their SRX device. Your manager asks you to enforce password expiration policies for all VPN users. Which authentication method meets the requirement?
A. local password database
B. TACACS+
C. RADIUS
D. LDAP
You have recently deployed a dynamic VPN. The remote users are complaining that communications with devices on the same subnet as the SRX device are intermittent and often fail. The tunnel is stable and up, and communications with remote devices on different subnets work without any issues. Which configuration setting would resolve this issue?
A. adding local-redirect at the [edit security nat] hierarchy
B. adding local-redirect at the [edit interfaces
C. adding proxy-arp at the [edit security nat] hierarchy
D. adding proxy-arp at the [edit interfaces
You have recently deployed a dynamic VPN. Some remote users are complaining that they cannot authenticate through the SRX device at the corporate network. The SRX device serves as the tunnel endpoint for the dynamic VPN. What are two reasons for this problem? (Choose two.)
A. The supported number of users has been exceeded for the applied license.
B. The users are connecting to the portal using Windows Vista.
C. The SRX device does not have the required user account definitions.
D. The SRX device does not have the required access profile definitions.
You are asked to implement a point-to-multipoint hub-and-spoke topology in a mixed vendor environment. The hub device is running the Junos OS and the spoke devices are different vendor devices. Regarding this scenario, which statement is correct?
A. The NHTB table must be statically defined.
B. The NHTB table is automatically created during Phase 2.
C. The NHTB table is automatically created during Phase 1.
D. The NHTB table must be imported from each spoke.
You are asked to implement an IPsec VPN between your main office and a new remote office. The remote office receives its IKE gateway address from their ISP dynamically.
Regarding this scenario, which statement is correct?
A. Configure a fully qualified domain name (FQDN) as the IKE identity.
B. Configure the dynamic-host-address option as the IKE identity.
C. Configure the unnumbered option as the IKE identity.
D. Configure a dynamic host configuration name (DHCN) as the IKE identity.
You have a group IPsec VPN established with a single key server and five client devices. Regarding this scenario, which statement is correct?
A. There is one unique Phase 1 security association and five unique Phase 2 security associations used for this group.
B. There is one unique Phase 1 security association and one unique Phase 2 security association used for this group.
C. There are five unique Phase 1 security associations and five unique Phase 2 security associations used for this group.
D. There are five unique Phase 1 security associations and one unique Phase 2 security association used for this group.
You want to implement an IPsec VPN on an SRX device using PKI certificates for authentication. As part of the implementation, you are required to ensure that the certificate submission, renewal, and retrieval processes are handled automatically from the certificate authority. Regarding this scenario, which statement is correct?
A. You can use SCEP to accomplish this behavior.
B. You can use OCSP to accomplish this behavior.
C. You can use CRL to accomplish this behavior.
D. You can use SPKI to accomplish this behavior.
You have been asked to establish a dynamic IPsec VPN between your SRX device and a remote user. Regarding this scenario, which three statements are correct? (Choose three.)
A. You must use preshared keys.
B. IKE aggressive mode must be used.
C. Only predefined proposal sets can be used.
D. Only policy-based VPNs are supported.
E. You can use all methods of encryption.
You are asked to design a solution to verify IPsec peer reachability with data path forwarding. Which feature would meet the design requirements?
A. DPD over Phase 1 SA
B. DPD over Phase 2 SA
C. VPN monitoring over Phase 1 SA
D. VPN monitoring over Phase 2 SA
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Juniper exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your JN0-633 exam preparations and Juniper certification application, do not hesitate to visit our Vcedump.com to find your solutions here.