Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-401TopicsVPN Technologies
Free · No Signup RequiredCisco · 350-401

350-401 VPN Technologies Practice Questions

20+ practice questions focused on VPN Technologies — one of the most tested topics on the ENCOR 350-401 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start VPN Technologies Practice

Exam Domains

ArchitectureEnterprise Network DesignSD-Access ArchitectureSD-WAN ArchitectureQoS ArchitectureVirtualizationNetwork Function VirtualizationAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample VPN Technologies Questions

Practice all 20+ →
1.

A network engineer is configuring a site-to-site IPsec VPN between two Cisco routers. The engineer wants to ensure that the VPN tunnel uses the strongest possible encryption and authentication algorithms. The engineer configures the following: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. On the remote router, the engineer configures: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. The tunnel fails to establish. What is the most likely cause?

A.The lifetimes are set too high; they should be 3600 seconds.
B.The hash algorithm is not specified and defaults may differ between routers.
C.The Diffie-Hellman group 14 is not supported on these routers.
D.Pre-shared keys cannot be used with AES-256 encryption.

Explanation: The IKE policy parameters must match exactly on both peers. In this scenario, the policies appear identical, but a common oversight is that the hash algorithm (e.g., SHA-256) is not specified in the policy; the default is MD5 or SHA-1 depending on IOS version. If one router uses default SHA-1 and the other uses MD5, the mismatch will prevent Phase 1 from completing. Option B is correct because the hash algorithm mismatch is a frequent cause of failure. Option A is incorrect because the lifetimes match. Option C is incorrect because group 14 is valid. Option D is incorrect because pre-shared keys can be used with strong encryption.

2.

A network engineer is tasked with deploying a DMVPN Phase 2 network for a company with multiple branch offices. The hub router is a Cisco 4451-X and the spoke routers are Cisco 4331s. After configuration, the spokes can ping the hub's tunnel IP, but cannot reach each other's tunnel IPs. The engineer checks the routing tables and sees that the hub has routes for both spoke subnets, but the spokes do not have routes to each other. What is the most likely cause?

A.The NHRP network ID is mismatched between the hub and spokes.
B.The spokes are not configured with a crypto map for IPsec.
C.The hub is not configured to propagate spoke routes to other spokes.
D.The tunnel mode is set to GRE instead of mGRE on the spokes.

Explanation: In DMVPN Phase 2, spokes learn about other spoke networks via the hub using dynamic routing (e.g., EIGRP or OSPF). The hub must be configured to propagate spoke routes to other spokes. If the hub is not configured to redistribute or advertise the spoke subnets, the spokes will not have routes to each other. Option C is correct because the hub must have a routing configuration that allows spoke-to-spoke route propagation. Option A is incorrect because NHRP is used for mapping, not routing. Option B is incorrect because spoke-to-spoke tunnels are established dynamically via NHRP. Option D is incorrect because mGRE is the correct interface type for DMVPN.

3.

An engineer is configuring a FlexVPN hub-and-spoke network. The hub router has a loopback0 with IP 10.0.0.1/32. The spokes are configured to use IKEv2 with certificates. The engineer notices that the spokes can establish the IKEv2 tunnel and can ping the hub's tunnel IP, but cannot reach the loopback0 address. The hub has a static route for the spoke subnets. What is the most likely issue?

A.The IKEv2 proposal does not match between hub and spoke.
B.The certificate authority is not trusted by the hub.
C.The tunnel interface is not in an up/up state.
D.The loopback0 is not advertised in the routing protocol.

Explanation: In FlexVPN, the tunnel IP addresses are typically used for routing, and the loopback may not be advertised into the routing protocol or may not be reachable via the tunnel interface. If the hub's loopback is not included in the routing updates (e.g., via a network statement in EIGRP or OSPF), the spokes will not have a route to it. Option D is correct because the loopback is not being advertised. Option A is incorrect because IKEv2 is working. Option B is incorrect because certificates are not the issue. Option C is incorrect because the tunnel itself is up.

4.

A network engineer is configuring a GETVPN solution for a large enterprise with many remote sites. The engineer wants to ensure that all traffic between sites is encrypted using a common group key. The key server (KS) is a Cisco ASR 1000. After configuration, the group members (GMs) can register with the KS, but traffic between GMs is not encrypted. The engineer checks the KS configuration and sees that the crypto gdoi group has been defined with a transform set and a security association. What is the most likely missing configuration?

A.The KS is missing an access list to define the traffic to encrypt.
B.The group name on the GMs does not match the KS.
C.The KS is not configured with an IPsec profile.
D.The GMs are in different IP subnets than the KS.

Explanation: In GETVPN, the KS must define a traffic selector (access list) that specifies which traffic to encrypt. Without a proper access list, the KS will not send the policy to the GMs, and traffic will pass in the clear. Option A is correct because the access list is missing. Option B is incorrect because the group name is not the issue. Option C is incorrect because the KS does not need an IPsec profile. Option D is incorrect because GMs can be in different subnets.

5.

An engineer is troubleshooting a site-to-site VPN between a Cisco ASA and a Cisco IOS router. The VPN is configured using IKEv1 with pre-shared keys. The tunnel establishes and traffic flows, but after a few hours, the tunnel drops and re-establishes. The engineer checks the logs and sees that the Phase 1 SA is being rekeyed. What is the most likely reason for the tunnel dropping?

A.The Dead Peer Detection (DPD) interval is too short.
B.The IKE Phase 1 lifetime is set too low.
C.The IPsec transform set is misconfigured.
D.The Phase 2 lifetime is longer than Phase 1.

Explanation: IKE Phase 1 SAs have a lifetime; when the lifetime expires, the SA is rekeyed. If the rekey fails or is delayed, the tunnel may drop temporarily. Option B is correct because the lifetime expiration is the most common cause. Option A is incorrect because DPD is used to detect dead peers, not cause drops. Option C is incorrect because rekeying is normal. Option D is incorrect because the Phase 2 lifetime is separate.

+15 more VPN Technologies questions available

Practice all VPN Technologies questions

How to master VPN Technologies for 350-401

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of VPN Technologies. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

VPN Technologies questions on the 350-401 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many 350-401 VPN Technologies questions are on the real exam?

The exact number varies per candidate. VPN Technologies is tested as part of the ENCOR 350-401 blueprint. Practicing with targeted VPN Technologies questions ensures you can handle any format or difficulty that appears.

Are these 350-401 VPN Technologies practice questions free?

Yes. Courseiva provides free 350-401 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is VPN Technologies one of the harder 350-401 topics?

Difficulty is subjective, but VPN Technologies is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full VPN Technologies practice session with instant scoring and detailed explanations.

Start VPN Technologies Practice →

Topic Info

Topic

VPN Technologies

Exam

350-401

Questions available

20+