20+ practice questions focused on VPN Technologies — one of the most tested topics on the ENCOR 350-401 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start VPN Technologies PracticeA network engineer is configuring a site-to-site IPsec VPN between two Cisco routers. The engineer wants to ensure that the VPN tunnel uses the strongest possible encryption and authentication algorithms. The engineer configures the following: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. On the remote router, the engineer configures: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. The tunnel fails to establish. What is the most likely cause?
Explanation: The IKE policy parameters must match exactly on both peers. In this scenario, the policies appear identical, but a common oversight is that the hash algorithm (e.g., SHA-256) is not specified in the policy; the default is MD5 or SHA-1 depending on IOS version. If one router uses default SHA-1 and the other uses MD5, the mismatch will prevent Phase 1 from completing. Option B is correct because the hash algorithm mismatch is a frequent cause of failure. Option A is incorrect because the lifetimes match. Option C is incorrect because group 14 is valid. Option D is incorrect because pre-shared keys can be used with strong encryption.
A network engineer is tasked with deploying a DMVPN Phase 2 network for a company with multiple branch offices. The hub router is a Cisco 4451-X and the spoke routers are Cisco 4331s. After configuration, the spokes can ping the hub's tunnel IP, but cannot reach each other's tunnel IPs. The engineer checks the routing tables and sees that the hub has routes for both spoke subnets, but the spokes do not have routes to each other. What is the most likely cause?
Explanation: In DMVPN Phase 2, spokes learn about other spoke networks via the hub using dynamic routing (e.g., EIGRP or OSPF). The hub must be configured to propagate spoke routes to other spokes. If the hub is not configured to redistribute or advertise the spoke subnets, the spokes will not have routes to each other. Option C is correct because the hub must have a routing configuration that allows spoke-to-spoke route propagation. Option A is incorrect because NHRP is used for mapping, not routing. Option B is incorrect because spoke-to-spoke tunnels are established dynamically via NHRP. Option D is incorrect because mGRE is the correct interface type for DMVPN.
An engineer is configuring a FlexVPN hub-and-spoke network. The hub router has a loopback0 with IP 10.0.0.1/32. The spokes are configured to use IKEv2 with certificates. The engineer notices that the spokes can establish the IKEv2 tunnel and can ping the hub's tunnel IP, but cannot reach the loopback0 address. The hub has a static route for the spoke subnets. What is the most likely issue?
Explanation: In FlexVPN, the tunnel IP addresses are typically used for routing, and the loopback may not be advertised into the routing protocol or may not be reachable via the tunnel interface. If the hub's loopback is not included in the routing updates (e.g., via a network statement in EIGRP or OSPF), the spokes will not have a route to it. Option D is correct because the loopback is not being advertised. Option A is incorrect because IKEv2 is working. Option B is incorrect because certificates are not the issue. Option C is incorrect because the tunnel itself is up.
A network engineer is configuring a GETVPN solution for a large enterprise with many remote sites. The engineer wants to ensure that all traffic between sites is encrypted using a common group key. The key server (KS) is a Cisco ASR 1000. After configuration, the group members (GMs) can register with the KS, but traffic between GMs is not encrypted. The engineer checks the KS configuration and sees that the crypto gdoi group has been defined with a transform set and a security association. What is the most likely missing configuration?
Explanation: In GETVPN, the KS must define a traffic selector (access list) that specifies which traffic to encrypt. Without a proper access list, the KS will not send the policy to the GMs, and traffic will pass in the clear. Option A is correct because the access list is missing. Option B is incorrect because the group name is not the issue. Option C is incorrect because the KS does not need an IPsec profile. Option D is incorrect because GMs can be in different subnets.
An engineer is troubleshooting a site-to-site VPN between a Cisco ASA and a Cisco IOS router. The VPN is configured using IKEv1 with pre-shared keys. The tunnel establishes and traffic flows, but after a few hours, the tunnel drops and re-establishes. The engineer checks the logs and sees that the Phase 1 SA is being rekeyed. What is the most likely reason for the tunnel dropping?
Explanation: IKE Phase 1 SAs have a lifetime; when the lifetime expires, the SA is rekeyed. If the rekey fails or is delayed, the tunnel may drop temporarily. Option B is correct because the lifetime expiration is the most common cause. Option A is incorrect because DPD is used to detect dead peers, not cause drops. Option C is incorrect because rekeying is normal. Option D is incorrect because the Phase 2 lifetime is separate.
+15 more VPN Technologies questions available
Practice all VPN Technologies questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of VPN Technologies. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
VPN Technologies questions on the 350-401 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. VPN Technologies is tested as part of the ENCOR 350-401 blueprint. Practicing with targeted VPN Technologies questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free 350-401 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but VPN Technologies is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full VPN Technologies practice session with instant scoring and detailed explanations.
Start VPN Technologies Practice →