Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›350-401›Objectives›VPN Technologies
Objective 504.0

VPN Technologies

350-401 Practice Questions

Full Practice Test →All Objectives

350-401 VPN Technologies — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Read the full VPN explanation →

A network engineer is configuring a site-to-site IPsec VPN between two Cisco routers. The engineer wants to ensure that the VPN tunnel uses the strongest possible encryption and authentication algorithms. The engineer configures the following: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. On the remote router, the engineer configures: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. The tunnel fails to establish. What is the most likely cause?

Question 3hardmultiple choice
Read the full VPN explanation →

A network engineer is tasked with deploying a DMVPN Phase 2 network for a company with multiple branch offices. The hub router is a Cisco 4451-X and the spoke routers are Cisco 4331s. After configuration, the spokes can ping the hub's tunnel IP, but cannot reach each other's tunnel IPs. The engineer checks the routing tables and sees that the hub has routes for both spoke subnets, but the spokes do not have routes to each other. What is the most likely cause?

Question 4mediummultiple choice
Read the full VPN explanation →

An engineer is configuring a FlexVPN hub-and-spoke network. The hub router has a loopback0 with IP 10.0.0.1/32. The spokes are configured to use IKEv2 with certificates. The engineer notices that the spokes can establish the IKEv2 tunnel and can ping the hub's tunnel IP, but cannot reach the loopback0 address. The hub has a static route for the spoke subnets. What is the most likely issue?

Question 5hardmultiple choice
Read the full VPN explanation →

A network engineer is configuring a GETVPN solution for a large enterprise with many remote sites. The engineer wants to ensure that all traffic between sites is encrypted using a common group key. The key server (KS) is a Cisco ASR 1000. After configuration, the group members (GMs) can register with the KS, but traffic between GMs is not encrypted. The engineer checks the KS configuration and sees that the crypto gdoi group has been defined with a transform set and a security association. What is the most likely missing configuration?

Question 6easymultiple choice
Read the full VPN explanation →

An engineer is troubleshooting a site-to-site VPN between a Cisco ASA and a Cisco IOS router. The VPN is configured using IKEv1 with pre-shared keys. The tunnel establishes and traffic flows, but after a few hours, the tunnel drops and re-establishes. The engineer checks the logs and sees that the Phase 1 SA is being rekeyed. What is the most likely reason for the tunnel dropping?

Question 7mediummultiple choice
Read the full VPN explanation →

A network engineer is configuring a remote access VPN using Cisco AnyConnect on an ASA. The engineer wants to use certificate-based authentication. The ASA is configured with a CA server. After configuration, users can connect, but they are prompted for a username and password instead of using certificates. The engineer checks the ASA configuration and sees that the tunnel group has authentication method set to AAA. What should the engineer do to fix this?

Question 8hardmultiple choice
Read the full VPN explanation →

An engineer is configuring a site-to-site VPN between two Cisco routers using IPsec with IKEv2. The engineer wants to use a pre-shared key. The configuration on both routers includes: crypto ikev2 proposal default, encryption aes-cbc-256, integrity sha256, group 14. The engineer also configures crypto ikev2 keyring and crypto ikev2 profile. The tunnel does not establish. The engineer sees that the IKEv2 SA is not created. What is the most likely missing configuration?

Question 9hardmultiple choice
Read the full VPN explanation →

A network engineer is configuring a DMVPN Phase 3 network. The hub router is a Cisco 4500X and the spokes are Cisco 4321s. The engineer wants to enable spoke-to-spoke direct communication. After configuration, the spokes can communicate via the hub, but not directly. The engineer checks the NHRP cache on a spoke and sees that it has a mapping for the other spoke's tunnel IP to the hub's physical IP. What is the most likely cause?

Question 10easymultiple choice
Read the full VPN explanation →

An engineer is configuring a site-to-site VPN between two Cisco routers using IPsec with IKEv1. The engineer configures a crypto map on the outside interface. The tunnel establishes, but only traffic from one direction is encrypted. For example, traffic from Router A to Router B is encrypted, but traffic from Router B to Router A is not. The engineer checks the crypto map on Router B and finds that it is not applied to the correct interface. What is the most likely issue?

Question 11mediummultiple choice
Review the full routing breakdown →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp sa

dst src state conn-id slot

10.1.1.2        10.1.1.1        MM_NO_STATE       1       0

Based on this output, what can be concluded?

Question 12mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R2:

R2# show crypto ipsec sa peer 10.2.2.2
interface: Tunnel0
    Crypto map tag: CMAP, local addr 10.1.1.2

protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0) current_peer 10.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 1500, #pkts encrypt: 1500, #pkts digest: 1500 #pkts decaps: 1200, #pkts decrypt: 1200, #pkts verify: 1200 #pkts compressed: 0, #pkts decompress: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

Based on this output, what can be concluded?

Question 13hardmultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R3:

R3# show dmvpn

Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete N: NATed, L: Local, X: No Socket

# Ent -> Number of NHRP entries with same NBMA peer

NHS Status: E => Expecting Replies, R => Responding, W => Waiting UpDn Time -> Up or Down Time for a Tunnel ==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Hub, NHRP Peers:2,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- ----- 1 192.168.1.1 10.0.0.1 UP 00:12:34 D 1 192.168.1.2 10.0.0.2 UP 00:10:20 D

Based on this output, what can be concluded?

Question 14mediummultiple choice
Read the full MPLS explanation →

A network engineer runs the following command on Router R4:

R4# show mpls ldp neighbor

Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.54567 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 00:15:30 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.0.0.2 Addresses bound to peer LDP Ident:

10.0.0.2        192.168.1.1

Based on this output, what can be concluded?

Question 15hardmultiple choice
Review the full OSPF breakdown →

A network engineer runs the following command on Router R5:

R5# show ip route vrf CUSTOMER-A

Routing Table: CUSTOMER-A Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.1.1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.1.1.0/24 is directly connected, GigabitEthernet0/0
B       10.2.2.0/24 [20/0] via 10.1.1.1, 00:10:20

Based on this output, what can be concluded?

Question 16hardmultiple choice
Open the full BGP breakdown →

A network engineer runs the following command on Router R6:

R6# show ip bgp vpnv4 all summary

BGP router identifier 10.0.0.6, local AS number 65000 BGP table version is 10, main routing table version 10 10 network entries using 1440 bytes of memory 10 path entries using 800 bytes of memory 4/3 BGP path/bestpath attribute entries using 576 bytes of memory 2 BGP AS-PATH entries using 48 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Bitfield cache entries: current 1 (at peak 2) using 32 bytes of memory BGP using 2896 total bytes of memory BGP activity 20/10 prefixes, 20/10 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.0.0.7        4        65001    1000    1000       10    0    0 00:20:00        5
10.0.0.8        4        65002     500     500       10    0    0 00:10:00        3

Based on this output, what can be concluded?

Question 17mediummultiple choice
Review the full routing breakdown →

A network engineer runs the following command on Router R7:

R7# show crypto ikev2 sa detail

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, Child count:1

Tunnel-id Local Remote Status Role 1 10.1.1.1/4500 10.2.2.2/4500 READY INITIATOR Encr: AES-CBC 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/3600 sec

Child SA: Local selector 10.1.1.0/0 - 10.1.1.255/65535 Remote selector 10.2.2.0/0 - 10.2.2.255/65535 ESP spi in/out: 0x12345678/0x87654321

Based on this output, what can be concluded?

Question 18mediummultiple choice
Review the full routing breakdown →

A network engineer runs the following command on Router R8:

R8# show ip nhrp

10.0.0.1/32 via 10.0.0.1

Tunnel0 created 00:10:00, expire 01:50:00 Type: dynamic, Flags: unique registered NBMA address: 192.168.1.1

10.0.0.2/32 via 10.0.0.2

Tunnel0 created 00:05:00, expire 01:55:00 Type: dynamic, Flags: unique registered NBMA address: 192.168.1.2

Based on this output, what can be concluded?

Question 19hardmultiple choice
Open the full BGP breakdown →

A network engineer runs the following command on Router R9:

R9# show ip interface tunnel 0

Tunnel0 is up, line protocol is up Internet address is 10.0.0.9/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1400 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is disabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent

IP fast switching is enabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP Null turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled

TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled

Based on this output, what can be concluded?

Question 20mediummultiple choice
Read the full VPN explanation →

Given the following configuration on a Cisco IOS-XE router:

interface Tunnel100
 ip address 10.0.0.1 255.255.255.252

tunnel source GigabitEthernet0/0/0 tunnel destination 192.168.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile MYPROFILE

What is the effect of this configuration?

Question 21mediummultiple choice
Read the full VPN explanation →

Examine the following IPsec configuration snippet:

crypto ikev2 proposal IKEV2_PROP

encryption aes-cbc-256 integrity sha256 group 14 !

crypto ikev2 policy IKEV2_POL

proposal IKEV2_PROP !

crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac

mode tunnel !

crypto ipsec profile IPSEC_PROF

set transform-set TSET set ikev2-profile IKEV2_POL

Which statement about this configuration is true?

Question 22mediummultiple choice
Read the full VPN explanation →

Consider the following DMVPN configuration on a hub router:

interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 100

tunnel source GigabitEthernet0/0/0 tunnel mode gre multipoint

What is the effect of the command 'ip nhrp map multicast dynamic'?

Question 23mediummultiple choice
Review the full routing breakdown →

Given this configuration on a Cisco IOS-XE router:

crypto ikev2 keyring KEYRING

peer SPOKE1 address 192.168.2.1 pre-shared-key cisco123 !

crypto ikev2 profile IKEV2_PROF

match identity remote address 192.168.2.1 255.255.255.255 authentication remote pre-share authentication local pre-share keyring KEYRING !

What is missing from this configuration for a successful IKEv2 tunnel to the peer at 192.168.2.1?

Question 24mediummultiple choice
Read the full VPN explanation →

Examine this configuration for a site-to-site VPN on a Cisco router:

crypto isakmp policy 10

encryption aes 256 hash sha256 authentication pre-share group 14 lifetime 86400 !

crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.1 set transform-set TSET match address 101 !

interface GigabitEthernet0/0/0
 ip address 10.0.0.1 255.255.255.0
 crypto map CMAP

!

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

Which statement about this configuration is true?

Question 25mediummultiple choice
Read the full VPN explanation →

Consider the following configuration for a FlexVPN spoke router:

interface Tunnel0
 ip address 10.0.0.2 255.255.255.0

tunnel source GigabitEthernet0/0/0 tunnel mode gre ip tunnel protection ipsec profile FLEXPROF

ip nhrp network-id 100
 ip nhrp nhs 10.0.0.1
 ip nhrp map 10.0.0.1 192.168.1.1

What is the purpose of the 'ip nhrp map 10.0.0.1 192.168.1.1' command?

Question 26easymultiple choice
Review the full routing breakdown →

What is the default IKEv1 (ISAKMP) lifetime in seconds on Cisco IOS routers?

Question 27easymultiple choice
Read the full VPN explanation →

Which IPsec protocol provides both encryption and authentication within a single ESP header?

Question 28mediummultiple choice
Read the full VPN explanation →

In a DMVPN phase 2 network, what is the primary advantage of using phase 2 over phase 1?

Question 29mediumdrag order
Read the full VPN explanation →

Drag and drop the steps of IKEv2 IPsec tunnel establishment into the correct order, from first to last.

Question 30mediumdrag order
Read the full VPN explanation →

Drag and drop the steps of configuring a site-to-site IPsec VPN on Cisco IOS into the correct order, from first to last.

Question 31mediumdrag order
Read the full VPN explanation →

Drag and drop the steps of DMVPN Phase 3 NHRP registration and spoke-to-spoke tunnel establishment into the correct order, from first to last.

More VPN Technologies questions available in the full practice test.

Continue Practising →
←

Previous objective

802.1X and TrustSec

Next objective

Infrastructure Security

→

All 350-401 Objectives

  • 100.Architecture15%
  • 101.Enterprise Network Design
  • 102.SD-Access Architecture
  • 103.SD-WAN Architecture
  • 104.QoS Architecture
  • 200.Virtualization10%
  • 201.Network Function Virtualization
  • 202.Virtual Machines and Hypervisors
  • 203.VRF and Path Isolation
  • 300.Infrastructure30%
  • 301.OSPF
  • 302.BGP
  • 303.EIGRP
  • 304.VLANs and Trunking
  • 305.Spanning Tree Protocol
  • 306.EtherChannel
  • 307.Wireless Infrastructure
  • 308.MPLS
  • 309.WAN Technologies
  • 310.NAT and DHCP
  • 311.IP Multicast
  • 312.QoS
  • 400.Network Assurance10%
  • 401.SNMP and Syslog
  • 402.NetFlow and Telemetry
  • 403.SPAN and RSPAN
  • 404.IP SLA
  • 500.Security20%
  • 501.AAA, RADIUS, and TACACS+
  • 502.ACLs and CoPP
  • 503.802.1X and TrustSec
  • 504.VPN Technologies
  • 505.Infrastructure Security
  • 600.Automation15%
  • 601.Python for Network Automation
  • 602.Ansible Automation
  • 603.REST APIs and Data Models
  • 604.Cisco DNA Center
  • 605.Model-Driven Telemetry