Module 1: Cryptography & VPN Fundamentals (15% of exam)
| Topic | INE Lab Activity | |-------|------------------| | Symmetric vs Asymmetric encryption | Configure SSHv2 with RSA keys | | PKI & Certificate Management | Deploy internal CA and enroll devices | | IPsec IKEv1 vs IKEv2 | Build tunnel between IOS routers | | SSL/TLS VPN | Configure AnyConnect headend | | FlexVPN & DMVPN | Build hub-spoke VPN topology |
Key CLI Commands You'll Master:
crypto ikev2 proposal SCOR-PROP
crypto ikev2 policy SCOR-POLICY
crypto ipsec transform-set SCOR-SET esp-aes esp-sha-hmac
crypto map SCOR-MAP 10 ipsec-isakmp
Hands-on Challenge:
"Build a site-to-site VPN where Phase 1 uses AES256-SHA256-DH14 and Phase 2 uses ESP-AES256. Add a backup tunnel using DPD." ine ccnp scor
Question:
A security engineer configures a FlexVPN tunnel between two IOS routers using IKEv2. The tunnel comes up but traffic fails to traverse. show crypto session shows the tunnel in "UP-ACTIVE" state, but show crypto ipsec sa shows 0 packets encrypted. What is the most likely cause?
A) Mismatched PSK in IKEv2 profile
B) Missing crypto map applied to the outside interface
C) No interesting traffic defined in an ACL matched by the crypto map
D) IKEv2 proposal missing a PRF algorithm Module 1: Cryptography & VPN Fundamentals (15% of
Correct Answer: C
Explanation: SCOR focuses on IKEv2/FlexVPN. If the session is UP (IKE SA built) but 0 IPsec packets encrypted, the IPsec SA is never triggered – meaning the traffic is not matched by the access-list referenced in the crypto map or tunnel protection. Hands-on Challenge:
Before diving into the solution, we must respect the enemy. The SCOR exam is not a trivia test. It covers a staggering breadth of topics, including:
The exam is heavy on architecture, APIs, and policy configuration. You cannot pass this exam by memorizing commands alone; you must understand how security fabrics interact. This is where most generic video courses fail, and where INE excels.