Explanation
Note: C is wrong - every virtual system and a separate firewall are implemented the same, and very secure, and can not be directly accessed between virtual systems

Explanation
Note: Packets that do not match IP and MAC will pass, and only packets with IP or MAC mismatch will be discarded.

Explanation
Note: The main mode requires a total of 6 messages in three steps to complete the first phase of negotiation, and finally establishes an IKE SA: these three steps are mode negotiation, Diffle-Hellman exchange and nonce exchange, and the identity of both parties. verification. Features of the main mode include identity protection and full utilization of ISAKMP negotiation capabilities. Among them, identity protection is particularly important when the other party wants to hide their identity. Before the messages 1, 2 are sent, the negotiation initiator and the responder must calculate and generate their own cookies, which are used to uniquely identify each individual negotiation exchange. The cookie uses the source/destination IP address, random number, date, and time to perform the MD5 operation. And put into the ISAKMP of Message 1 to identify a separate negotiated exchange. In the first exchange, the two parties need to exchange the cookie and the SA payload.
The SA load carries the parameters of the IKE SA to be negotiated, including the IKE hash type, the encryption algorithm, the authentication algorithm, and the negotiation time of the IKE SA. Limits, etc. Before the second exchange after the first exchange, the communicating parties need to generate a DH value for generating a Diffle-Hellman shared key. The generation method is that each party generates a random number, and the random number is processed by the DH algorithm to obtain a DH value Xa (initiator's DH value) and Xb (responder's DH value), and then both sides calculate according to the DH algorithm. A temporary value of Ni and Nr is given. For the second exchange, the two parties exchange their respective key exchange payloads (Diffle- Hellman exchange, including Xa and Xb) and temporary value payloads (nonce exchanges containing Ni and Nr). After the two parties exchange the temporary value loads Ni and Nr, the pre-shared key is pre-prepared, and then a pseudo-random function operation can generate a key SKEYID, which is the basis of all subsequent key generation. Then, by calculating the DH value calculated by itself, the DH value obtained by the exchange, and the SKEYID, a shared key SKEYID_d that only the two parties know is generated. This shared key is not transmitted, only the DH value and the temporary value are transmitted, so even if the third party gets these materials, the shared key cannot be calculated. After the second exchange is completed, the calculation materials required by both parties have been exchanged. At this time, both parties can calculate all the keys and use the key to provide security for subsequent IKE messages. These keys include DKEYID_a and DKEYID_e. DKEYID_a is used to provide security services such as integrity and data source authentication for IKE messages. DKEYID_e is used to encrypt IKE messages. The third exchange is the exchange of the identification load and the hash load. The identifier payload contains the identifier information, IP address or host name of the initiator; the hash payload contains the values obtained by HASH operation of the three sets of keys generated in the previous process. These two payloads are encrypted by DKEYID_e. If the payloads of both parties are the same, the authentication is successful. The IKE first-stage master mode pre-shared key exchange is complete.