Cisco Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) 350-701 Question # 137 Topic 14 Discussion

350-701 Exam Topic 14 Question 137 Discussion:

Question #: 137

Topic #: 14

Refer to the exhibit.
An engineer is implementing a certificate based VPN. What is the result of the existing configuration?

The OU of the IKEv2 peer certificate is used as the identity when matching an IKEv2 authorization policy.

Only an IKEv2 peer that has an OU certificate attribute set to MANGLER establishes an IKEv2 SA successfully

The OU of the IKEv2 peer certificate is encrypted when the OU is set to MANGLER

The OU of the IKEv2 peer certificate is set to MANGLER

Get Premium 350-701 Questions

Explanation

The configuration snippet in the image is a part of IKEv2 configuration where the name mangler is associated with the organizational unit (OU) “MANGLER”. In Cisco’s IKEv2 implementation, this specific configuration means that only an IKEv2 peer whose certificate has an OU attribute set to “MANGLER” can establish an IKEv2 Security Association successfully. This is a method of ensuring that only peers with certificates issued to a specific organizational unit can connect, enhancing security by limiting unauthorized access. The name mangler is a feature that allows the administrator to specify a string that must be present in the peer’s certificate for authentication. The name mangler can be applied to any certificate field, such as common name (CN), organization (O), or OU. The name mangler can also be used to modify the peer’s identity based on the certificate field, such as appending or prepending a string to the identity. The name mangler is configured under the IKEv2 profile using the command crypto ikev2 profile profile-name identity name-mangler name-mangler-name dn field-name. In this case, the name mangler is applied to the OU field of the peer’s certificate. The other options are incorrect because they do not describe the effect of the name mangler configuration. Option A is incorrect because the name mangler does not affect the identity matching for the IKEv2 authorization policy. The identity matching is based on the peer’s identity type and value, which can be different from the certificate field. Option C is incorrect because the name mangler does not encrypt the OU field of the peer’s certificate. The OU field is part of the certificate’s subject, which is not encrypted in the IKEv2 messages. Option D is incorrect because the name mangler does not set the OU field of the peer’s certificate. The OU field is determined by the certificate authority (CA) that issues the certificate, and the name mangler only verifies or modifies the peer’s identity based on the OU field. References : Configuring Internet Key Exchange Version 2, Internet Key Exchange Version 2 CLI Constructs, Tutorial: Setting up a certificate-based IKEv2 VPN connection (RSA)

Actual exam question for Cisco 350-701 exam by Rune7370 at Aug 3, 2025, 7:26:12 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Cisco Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) 350-701 Question # 137 Topic 14 Discussion

Cisco Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) 350-701 Question # 137 Topic 14 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Cisco Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) 350-701 Question # 137 Topic 14 Discussion

Cisco Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) 350-701 Question # 137 Topic 14 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval