Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-401DomainsVPN Technologies
350-401Free — No Signup

VPN Technologies

Practice 350-401 VPN Technologies questions with full explanations on every answer.

58questions

Start practicing

VPN Technologies — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

350-401 Domains

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationVirtual Machines and HypervisorsVRF and Path IsolationInfrastructureOSPFBGPEIGRPVLANs and TrunkingSpanning Tree ProtocolEtherChannelWireless InfrastructureMPLSWAN TechnologiesNAT and DHCPIP MulticastQoSNetwork AssuranceSNMP and SyslogNetFlow and TelemetrySPAN and RSPANIP SLASecurityAAA, RADIUS, and TACACS+ACLs and CoPP802.1X and TrustSecVPN TechnologiesInfrastructure SecurityAutomationPython for Network AutomationAnsible AutomationREST APIs and Data ModelsCisco DNA CenterModel-Driven Telemetry

Practice VPN Technologies questions

10Q20Q30Q50Q

All 350-401 VPN Technologies questions (58)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A network engineer is configuring a site-to-site IPsec VPN between two Cisco routers. The engineer wants to ensure that the VPN tunnel uses the strongest possible encryption and authentication algorithms. The engineer configures the following: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. On the remote router, the engineer configures: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. The tunnel fails to establish. What is the most likely cause?

2

A network engineer is tasked with deploying a DMVPN Phase 2 network for a company with multiple branch offices. The hub router is a Cisco 4451-X and the spoke routers are Cisco 4331s. After configuration, the spokes can ping the hub's tunnel IP, but cannot reach each other's tunnel IPs. The engineer checks the routing tables and sees that the hub has routes for both spoke subnets, but the spokes do not have routes to each other. What is the most likely cause?

3

An engineer is configuring a FlexVPN hub-and-spoke network. The hub router has a loopback0 with IP 10.0.0.1/32. The spokes are configured to use IKEv2 with certificates. The engineer notices that the spokes can establish the IKEv2 tunnel and can ping the hub's tunnel IP, but cannot reach the loopback0 address. The hub has a static route for the spoke subnets. What is the most likely issue?

4

A network engineer is configuring a GETVPN solution for a large enterprise with many remote sites. The engineer wants to ensure that all traffic between sites is encrypted using a common group key. The key server (KS) is a Cisco ASR 1000. After configuration, the group members (GMs) can register with the KS, but traffic between GMs is not encrypted. The engineer checks the KS configuration and sees that the crypto gdoi group has been defined with a transform set and a security association. What is the most likely missing configuration?

5

An engineer is troubleshooting a site-to-site VPN between a Cisco ASA and a Cisco IOS router. The VPN is configured using IKEv1 with pre-shared keys. The tunnel establishes and traffic flows, but after a few hours, the tunnel drops and re-establishes. The engineer checks the logs and sees that the Phase 1 SA is being rekeyed. What is the most likely reason for the tunnel dropping?

6

A network engineer is configuring a remote access VPN using Cisco AnyConnect on an ASA. The engineer wants to use certificate-based authentication. The ASA is configured with a CA server. After configuration, users can connect, but they are prompted for a username and password instead of using certificates. The engineer checks the ASA configuration and sees that the tunnel group has authentication method set to AAA. What should the engineer do to fix this?

7

An engineer is configuring a site-to-site VPN between two Cisco routers using IPsec with IKEv2. The engineer wants to use a pre-shared key. The configuration on both routers includes: crypto ikev2 proposal default, encryption aes-cbc-256, integrity sha256, group 14. The engineer also configures crypto ikev2 keyring and crypto ikev2 profile. The tunnel does not establish. The engineer sees that the IKEv2 SA is not created. What is the most likely missing configuration?

8

A network engineer is configuring a DMVPN Phase 3 network. The hub router is a Cisco 4500X and the spokes are Cisco 4321s. The engineer wants to enable spoke-to-spoke direct communication. After configuration, the spokes can communicate via the hub, but not directly. The engineer checks the NHRP cache on a spoke and sees that it has a mapping for the other spoke's tunnel IP to the hub's physical IP. What is the most likely cause?

9

An engineer is configuring a site-to-site VPN between two Cisco routers using IPsec with IKEv1. The engineer configures a crypto map on the outside interface. The tunnel establishes, but only traffic from one direction is encrypted. For example, traffic from Router A to Router B is encrypted, but traffic from Router B to Router A is not. The engineer checks the crypto map on Router B and finds that it is not applied to the correct interface. What is the most likely issue?

10

A network engineer runs the following command on Router R1: R1# show crypto isakmp sa dst src state conn-id slot 10.1.1.2 10.1.1.1 MM_NO_STATE 1 0 Based on this output, what can be concluded?

11

A network engineer runs the following command on Router R2: R2# show crypto ipsec sa peer 10.2.2.2 interface: Tunnel0 Crypto map tag: CMAP, local addr 10.1.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0) current_peer 10.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 1500, #pkts encrypt: 1500, #pkts digest: 1500 #pkts decaps: 1200, #pkts decrypt: 1200, #pkts verify: 1200 #pkts compressed: 0, #pkts decompress: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 Based on this output, what can be concluded?

12

A network engineer runs the following command on Router R3: R3# show dmvpn Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete N: NATed, L: Local, X: No Socket # Ent -> Number of NHRP entries with same NBMA peer NHS Status: E => Expecting Replies, R => Responding, W => Waiting UpDn Time -> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 192.168.1.1 10.0.0.1 UP 00:12:34 D 1 192.168.1.2 10.0.0.2 UP 00:10:20 D Based on this output, what can be concluded?

13

A network engineer runs the following command on Router R4: R4# show mpls ldp neighbor Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.54567 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 00:15:30 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.0.0.2 Addresses bound to peer LDP Ident: 10.0.0.2 192.168.1.1 Based on this output, what can be concluded?

14

A network engineer runs the following command on Router R5: R5# show ip route vrf CUSTOMER-A Routing Table: CUSTOMER-A Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.1.1.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 B 10.2.2.0/24 [20/0] via 10.1.1.1, 00:10:20 Based on this output, what can be concluded?

15

A network engineer runs the following command on Router R6: R6# show ip bgp vpnv4 all summary BGP router identifier 10.0.0.6, local AS number 65000 BGP table version is 10, main routing table version 10 10 network entries using 1440 bytes of memory 10 path entries using 800 bytes of memory 4/3 BGP path/bestpath attribute entries using 576 bytes of memory 2 BGP AS-PATH entries using 48 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Bitfield cache entries: current 1 (at peak 2) using 32 bytes of memory BGP using 2896 total bytes of memory BGP activity 20/10 prefixes, 20/10 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.0.0.7 4 65001 1000 1000 10 0 0 00:20:00 5 10.0.0.8 4 65002 500 500 10 0 0 00:10:00 3 Based on this output, what can be concluded?

16

A network engineer runs the following command on Router R7: R7# show crypto ikev2 sa detail IKEv2 SAs: Session-id:1, Status:UP-ACTIVE, IKE count:1, Child count:1 Tunnel-id Local Remote Status Role 1 10.1.1.1/4500 10.2.2.2/4500 READY INITIATOR Encr: AES-CBC 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/3600 sec Child SA: Local selector 10.1.1.0/0 - 10.1.1.255/65535 Remote selector 10.2.2.0/0 - 10.2.2.255/65535 ESP spi in/out: 0x12345678/0x87654321 Based on this output, what can be concluded?

17

A network engineer runs the following command on Router R8: R8# show ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:10:00, expire 01:50:00 Type: dynamic, Flags: unique registered NBMA address: 192.168.1.1 10.0.0.2/32 via 10.0.0.2 Tunnel0 created 00:05:00, expire 01:55:00 Type: dynamic, Flags: unique registered NBMA address: 192.168.1.2 Based on this output, what can be concluded?

18

A network engineer runs the following command on Router R9: R9# show ip interface tunnel 0 Tunnel0 is up, line protocol is up Internet address is 10.0.0.9/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1400 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is disabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP CEF switching is enabled IP CEF switching turbo vector IP Null turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled Based on this output, what can be concluded?

19

Given the following configuration on a Cisco IOS-XE router: interface Tunnel100 ip address 10.0.0.1 255.255.255.252 tunnel source GigabitEthernet0/0/0 tunnel destination 192.168.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile MYPROFILE What is the effect of this configuration?

20

Examine the following IPsec configuration snippet: crypto ikev2 proposal IKEV2_PROP encryption aes-cbc-256 integrity sha256 group 14 ! crypto ikev2 policy IKEV2_POL proposal IKEV2_PROP ! crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile IPSEC_PROF set transform-set TSET set ikev2-profile IKEV2_POL Which statement about this configuration is true?

21

Consider the following DMVPN configuration on a hub router: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 100 tunnel source GigabitEthernet0/0/0 tunnel mode gre multipoint What is the effect of the command 'ip nhrp map multicast dynamic'?

22

Given this configuration on a Cisco IOS-XE router: crypto ikev2 keyring KEYRING peer SPOKE1 address 192.168.2.1 pre-shared-key cisco123 ! crypto ikev2 profile IKEV2_PROF match identity remote address 192.168.2.1 255.255.255.255 authentication remote pre-share authentication local pre-share keyring KEYRING ! What is missing from this configuration for a successful IKEv2 tunnel to the peer at 192.168.2.1?

23

Examine this configuration for a site-to-site VPN on a Cisco router: crypto isakmp policy 10 encryption aes 256 hash sha256 authentication pre-share group 14 lifetime 86400 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.1 set transform-set TSET match address 101 ! interface GigabitEthernet0/0/0 ip address 10.0.0.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 Which statement about this configuration is true?

24

Consider the following configuration for a FlexVPN spoke router: interface Tunnel0 ip address 10.0.0.2 255.255.255.0 tunnel source GigabitEthernet0/0/0 tunnel mode gre ip tunnel protection ipsec profile FLEXPROF ip nhrp network-id 100 ip nhrp nhs 10.0.0.1 ip nhrp map 10.0.0.1 192.168.1.1 What is the purpose of the 'ip nhrp map 10.0.0.1 192.168.1.1' command?

25

What is the default IKEv1 (ISAKMP) lifetime in seconds on Cisco IOS routers?

26

Which IPsec protocol provides both encryption and authentication within a single ESP header?

27

In a DMVPN phase 2 network, what is the primary advantage of using phase 2 over phase 1?

28

Drag and drop the steps of IKEv2 IPsec tunnel establishment into the correct order, from first to last.

29

Drag and drop the steps of configuring a site-to-site IPsec VPN on Cisco IOS into the correct order, from first to last.

30

Drag and drop the steps of DMVPN Phase 3 NHRP registration and spoke-to-spoke tunnel establishment into the correct order, from first to last.

31

Drag and drop the steps of DMVPN Phase 2 NHRP resolution process into the correct order, from first to last.

32

Drag and drop the steps of GET VPN key server registration and rekey into the correct order, from first to last.

33

Drag and drop the steps of SSL VPN (AnyConnect) session establishment into the correct order, from first to last.

34

Drag and drop the steps of FlexVPN spoke-to-spoke dynamic tunnel creation into the correct order, from first to last.

35

Drag and drop the steps of IKEv2 fragmentation and DPD keepalive process into the correct order, from first to last.

36

Drag and drop the steps of DMVPN Phase 2 NHRP resolution process into the correct order, from first to last.

37

Drag and drop the steps of GET VPN key server registration and rekey into the correct order, from first to last.

38

Drag and drop the steps of SSL VPN (AnyConnect) session establishment into the correct order, from first to last.

39

Drag and drop the steps of FlexVPN spoke-to-spoke dynamic tunnel creation into the correct order, from first to last.

40

Drag and drop the steps of IKEv2 fragmentation and DPD keepalive process into the correct order, from first to last.

41

Drag and drop each VPN type on the left to its matching tunnel technology on the right.

42

Drag and drop each IKEv2 exchange on the left to its matching phase on the right.

43

Drag and drop each IPsec mode on the left to its matching header usage on the right.

44

Drag and drop each security protocol on the left to its matching provided security service on the right.

45

Drag and drop each DMVPN phase on the left to its matching NHRP operation type on the right.

46

Drag and drop each VPN type on the left to its matching tunnel technology on the right.

47

Drag and drop each IKEv2 exchange on the left to its matching phase on the right.

48

Drag and drop each IPsec mode on the left to its matching header usage on the right.

49

Drag and drop each security protocol on the left to its matching service on the right.

50

Drag and drop each DMVPN phase on the left to its matching NHRP operation type on the right.

51

Which two statements about IPsec IKEv2 are true? (Choose two.)

52

Which two statements about DMVPN phase 2 are true? (Choose two.)

53

Which three statements about MPLS Layer 3 VPNs are true? (Choose three.)

54

Which three statements about FlexVPN are true? (Choose three.)

55

Which two statements about IPsec IKEv2 are true? (Choose two.)

56

Which three statements about MPLS Layer 3 VPNs are true? (Choose three.)

57

Which two statements about DMVPN Phase 2 are true? (Choose two.)

58

Which three statements about SSL VPNs are true? (Choose three.)

Practice all 58 VPN Technologies questions

Other 350-401 exam domains

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationVirtual Machines and HypervisorsVRF and Path IsolationInfrastructureOSPFBGPEIGRPVLANs and TrunkingSpanning Tree ProtocolEtherChannelWireless InfrastructureMPLSWAN TechnologiesNAT and DHCPIP MulticastQoSNetwork AssuranceSNMP and SyslogNetFlow and TelemetrySPAN and RSPANIP SLASecurityAAA, RADIUS, and TACACS+ACLs and CoPP802.1X and TrustSecInfrastructure SecurityAutomationPython for Network AutomationAnsible AutomationREST APIs and Data ModelsCisco DNA CenterModel-Driven Telemetry

Frequently asked questions

What does the VPN Technologies domain cover on the 350-401 exam?

The VPN Technologies domain covers the key concepts tested in this area of the 350-401 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-401 domains — no account required.

How many VPN Technologies questions are in the 350-401 question bank?

The Courseiva 350-401 question bank contains 58 questions in the VPN Technologies domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice VPN Technologies for 350-401?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only VPN Technologies questions for 350-401?

Yes — the session launcher on this page draws questions exclusively from the VPN Technologies domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your 350-401 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

200-301350-701SY0-701