Practice 350-401 VPN Technologies questions with full explanations on every answer.
Start practicing
VPN Technologies — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A network engineer is configuring a site-to-site IPsec VPN between two Cisco routers. The engineer wants to ensure that the VPN tunnel uses the strongest possible encryption and authentication algorithms. The engineer configures the following: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. On the remote router, the engineer configures: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. The tunnel fails to establish. What is the most likely cause?
2A network engineer is tasked with deploying a DMVPN Phase 2 network for a company with multiple branch offices. The hub router is a Cisco 4451-X and the spoke routers are Cisco 4331s. After configuration, the spokes can ping the hub's tunnel IP, but cannot reach each other's tunnel IPs. The engineer checks the routing tables and sees that the hub has routes for both spoke subnets, but the spokes do not have routes to each other. What is the most likely cause?
3An engineer is configuring a FlexVPN hub-and-spoke network. The hub router has a loopback0 with IP 10.0.0.1/32. The spokes are configured to use IKEv2 with certificates. The engineer notices that the spokes can establish the IKEv2 tunnel and can ping the hub's tunnel IP, but cannot reach the loopback0 address. The hub has a static route for the spoke subnets. What is the most likely issue?
4A network engineer is configuring a GETVPN solution for a large enterprise with many remote sites. The engineer wants to ensure that all traffic between sites is encrypted using a common group key. The key server (KS) is a Cisco ASR 1000. After configuration, the group members (GMs) can register with the KS, but traffic between GMs is not encrypted. The engineer checks the KS configuration and sees that the crypto gdoi group has been defined with a transform set and a security association. What is the most likely missing configuration?
5An engineer is troubleshooting a site-to-site VPN between a Cisco ASA and a Cisco IOS router. The VPN is configured using IKEv1 with pre-shared keys. The tunnel establishes and traffic flows, but after a few hours, the tunnel drops and re-establishes. The engineer checks the logs and sees that the Phase 1 SA is being rekeyed. What is the most likely reason for the tunnel dropping?
6A network engineer is configuring a remote access VPN using Cisco AnyConnect on an ASA. The engineer wants to use certificate-based authentication. The ASA is configured with a CA server. After configuration, users can connect, but they are prompted for a username and password instead of using certificates. The engineer checks the ASA configuration and sees that the tunnel group has authentication method set to AAA. What should the engineer do to fix this?
7An engineer is configuring a site-to-site VPN between two Cisco routers using IPsec with IKEv2. The engineer wants to use a pre-shared key. The configuration on both routers includes: crypto ikev2 proposal default, encryption aes-cbc-256, integrity sha256, group 14. The engineer also configures crypto ikev2 keyring and crypto ikev2 profile. The tunnel does not establish. The engineer sees that the IKEv2 SA is not created. What is the most likely missing configuration?
8A network engineer is configuring a DMVPN Phase 3 network. The hub router is a Cisco 4500X and the spokes are Cisco 4321s. The engineer wants to enable spoke-to-spoke direct communication. After configuration, the spokes can communicate via the hub, but not directly. The engineer checks the NHRP cache on a spoke and sees that it has a mapping for the other spoke's tunnel IP to the hub's physical IP. What is the most likely cause?
9An engineer is configuring a site-to-site VPN between two Cisco routers using IPsec with IKEv1. The engineer configures a crypto map on the outside interface. The tunnel establishes, but only traffic from one direction is encrypted. For example, traffic from Router A to Router B is encrypted, but traffic from Router B to Router A is not. The engineer checks the crypto map on Router B and finds that it is not applied to the correct interface. What is the most likely issue?
10A network engineer runs the following command on Router R1: R1# show crypto isakmp sa dst src state conn-id slot 10.1.1.2 10.1.1.1 MM_NO_STATE 1 0 Based on this output, what can be concluded?
11A network engineer runs the following command on Router R2: R2# show crypto ipsec sa peer 10.2.2.2 interface: Tunnel0 Crypto map tag: CMAP, local addr 10.1.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0) current_peer 10.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 1500, #pkts encrypt: 1500, #pkts digest: 1500 #pkts decaps: 1200, #pkts decrypt: 1200, #pkts verify: 1200 #pkts compressed: 0, #pkts decompress: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 Based on this output, what can be concluded?
12A network engineer runs the following command on Router R3: R3# show dmvpn Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete N: NATed, L: Local, X: No Socket # Ent -> Number of NHRP entries with same NBMA peer NHS Status: E => Expecting Replies, R => Responding, W => Waiting UpDn Time -> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 192.168.1.1 10.0.0.1 UP 00:12:34 D 1 192.168.1.2 10.0.0.2 UP 00:10:20 D Based on this output, what can be concluded?
13A network engineer runs the following command on Router R4: R4# show mpls ldp neighbor Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.54567 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 00:15:30 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.0.0.2 Addresses bound to peer LDP Ident: 10.0.0.2 192.168.1.1 Based on this output, what can be concluded?
14A network engineer runs the following command on Router R5: R5# show ip route vrf CUSTOMER-A Routing Table: CUSTOMER-A Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.1.1.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 B 10.2.2.0/24 [20/0] via 10.1.1.1, 00:10:20 Based on this output, what can be concluded?
15A network engineer runs the following command on Router R6: R6# show ip bgp vpnv4 all summary BGP router identifier 10.0.0.6, local AS number 65000 BGP table version is 10, main routing table version 10 10 network entries using 1440 bytes of memory 10 path entries using 800 bytes of memory 4/3 BGP path/bestpath attribute entries using 576 bytes of memory 2 BGP AS-PATH entries using 48 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Bitfield cache entries: current 1 (at peak 2) using 32 bytes of memory BGP using 2896 total bytes of memory BGP activity 20/10 prefixes, 20/10 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.0.0.7 4 65001 1000 1000 10 0 0 00:20:00 5 10.0.0.8 4 65002 500 500 10 0 0 00:10:00 3 Based on this output, what can be concluded?
16A network engineer runs the following command on Router R7: R7# show crypto ikev2 sa detail IKEv2 SAs: Session-id:1, Status:UP-ACTIVE, IKE count:1, Child count:1 Tunnel-id Local Remote Status Role 1 10.1.1.1/4500 10.2.2.2/4500 READY INITIATOR Encr: AES-CBC 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/3600 sec Child SA: Local selector 10.1.1.0/0 - 10.1.1.255/65535 Remote selector 10.2.2.0/0 - 10.2.2.255/65535 ESP spi in/out: 0x12345678/0x87654321 Based on this output, what can be concluded?
17A network engineer runs the following command on Router R8: R8# show ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:10:00, expire 01:50:00 Type: dynamic, Flags: unique registered NBMA address: 192.168.1.1 10.0.0.2/32 via 10.0.0.2 Tunnel0 created 00:05:00, expire 01:55:00 Type: dynamic, Flags: unique registered NBMA address: 192.168.1.2 Based on this output, what can be concluded?
18A network engineer runs the following command on Router R9: R9# show ip interface tunnel 0 Tunnel0 is up, line protocol is up Internet address is 10.0.0.9/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1400 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is disabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP CEF switching is enabled IP CEF switching turbo vector IP Null turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled Based on this output, what can be concluded?
19Given the following configuration on a Cisco IOS-XE router: interface Tunnel100 ip address 10.0.0.1 255.255.255.252 tunnel source GigabitEthernet0/0/0 tunnel destination 192.168.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile MYPROFILE What is the effect of this configuration?
20Examine the following IPsec configuration snippet: crypto ikev2 proposal IKEV2_PROP encryption aes-cbc-256 integrity sha256 group 14 ! crypto ikev2 policy IKEV2_POL proposal IKEV2_PROP ! crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile IPSEC_PROF set transform-set TSET set ikev2-profile IKEV2_POL Which statement about this configuration is true?
21Consider the following DMVPN configuration on a hub router: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 100 tunnel source GigabitEthernet0/0/0 tunnel mode gre multipoint What is the effect of the command 'ip nhrp map multicast dynamic'?
22Given this configuration on a Cisco IOS-XE router: crypto ikev2 keyring KEYRING peer SPOKE1 address 192.168.2.1 pre-shared-key cisco123 ! crypto ikev2 profile IKEV2_PROF match identity remote address 192.168.2.1 255.255.255.255 authentication remote pre-share authentication local pre-share keyring KEYRING ! What is missing from this configuration for a successful IKEv2 tunnel to the peer at 192.168.2.1?
23Examine this configuration for a site-to-site VPN on a Cisco router: crypto isakmp policy 10 encryption aes 256 hash sha256 authentication pre-share group 14 lifetime 86400 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.1 set transform-set TSET match address 101 ! interface GigabitEthernet0/0/0 ip address 10.0.0.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 Which statement about this configuration is true?
24Consider the following configuration for a FlexVPN spoke router: interface Tunnel0 ip address 10.0.0.2 255.255.255.0 tunnel source GigabitEthernet0/0/0 tunnel mode gre ip tunnel protection ipsec profile FLEXPROF ip nhrp network-id 100 ip nhrp nhs 10.0.0.1 ip nhrp map 10.0.0.1 192.168.1.1 What is the purpose of the 'ip nhrp map 10.0.0.1 192.168.1.1' command?
25What is the default IKEv1 (ISAKMP) lifetime in seconds on Cisco IOS routers?
26Which IPsec protocol provides both encryption and authentication within a single ESP header?
27In a DMVPN phase 2 network, what is the primary advantage of using phase 2 over phase 1?
28Drag and drop the steps of IKEv2 IPsec tunnel establishment into the correct order, from first to last.
29Drag and drop the steps of configuring a site-to-site IPsec VPN on Cisco IOS into the correct order, from first to last.
30Drag and drop the steps of DMVPN Phase 3 NHRP registration and spoke-to-spoke tunnel establishment into the correct order, from first to last.
31Drag and drop the steps of DMVPN Phase 2 NHRP resolution process into the correct order, from first to last.
32Drag and drop the steps of GET VPN key server registration and rekey into the correct order, from first to last.
33Drag and drop the steps of SSL VPN (AnyConnect) session establishment into the correct order, from first to last.
34Drag and drop the steps of FlexVPN spoke-to-spoke dynamic tunnel creation into the correct order, from first to last.
35Drag and drop the steps of IKEv2 fragmentation and DPD keepalive process into the correct order, from first to last.
36Drag and drop the steps of DMVPN Phase 2 NHRP resolution process into the correct order, from first to last.
37Drag and drop the steps of GET VPN key server registration and rekey into the correct order, from first to last.
38Drag and drop the steps of SSL VPN (AnyConnect) session establishment into the correct order, from first to last.
39Drag and drop the steps of FlexVPN spoke-to-spoke dynamic tunnel creation into the correct order, from first to last.
40Drag and drop the steps of IKEv2 fragmentation and DPD keepalive process into the correct order, from first to last.
41Drag and drop each VPN type on the left to its matching tunnel technology on the right.
42Drag and drop each IKEv2 exchange on the left to its matching phase on the right.
43Drag and drop each IPsec mode on the left to its matching header usage on the right.
44Drag and drop each security protocol on the left to its matching provided security service on the right.
45Drag and drop each DMVPN phase on the left to its matching NHRP operation type on the right.
46Drag and drop each VPN type on the left to its matching tunnel technology on the right.
47Drag and drop each IKEv2 exchange on the left to its matching phase on the right.
48Drag and drop each IPsec mode on the left to its matching header usage on the right.
49Drag and drop each security protocol on the left to its matching service on the right.
50Drag and drop each DMVPN phase on the left to its matching NHRP operation type on the right.
51Which two statements about IPsec IKEv2 are true? (Choose two.)
52Which two statements about DMVPN phase 2 are true? (Choose two.)
53Which three statements about MPLS Layer 3 VPNs are true? (Choose three.)
54Which three statements about FlexVPN are true? (Choose three.)
55Which two statements about IPsec IKEv2 are true? (Choose two.)
56Which three statements about MPLS Layer 3 VPNs are true? (Choose three.)
57Which two statements about DMVPN Phase 2 are true? (Choose two.)
58Which three statements about SSL VPNs are true? (Choose three.)
The VPN Technologies domain covers the key concepts tested in this area of the 350-401 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-401 domains — no account required.
The Courseiva 350-401 question bank contains 58 questions in the VPN Technologies domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the VPN Technologies domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included