Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications300-410DomainsIPsec Site-to-Site VPN
300-410Free — No Signup

IPsec Site-to-Site VPN

Practice 300-410 IPsec Site-to-Site VPN questions with full explanations on every answer.

76questions

Start practicing

IPsec Site-to-Site VPN — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

300-410 Domains

Layer 3 TechnologiesEIGRP TroubleshootingOSPF Troubleshooting (v2/v3)BGP TroubleshootingRoute RedistributionPolicy-Based Routing (PBR)VRF-LiteRoute Maps and Route FilteringAdministrative DistanceRoute SummarizationBidirectional Forwarding Detection (BFD)VPN TechnologiesMPLS OperationsMPLS L3VPNDMVPNIPsec Site-to-Site VPNIPv6 Tunneling TechniquesInfrastructure SecurityDevice Access ControlIPv4 Access Control ListsIPv6 Traffic Filtering and uRPFControl Plane Policing (CoPP)IPv6 First Hop SecurityInfrastructure ServicesDevice ManagementSNMP TroubleshootingNetwork Logging and SyslogEmbedded Event Manager (EEM)IP SLANetFlow and Flexible NetFlowSPAN, RSPAN, and ERSPANDHCP (IPv4 and IPv6)NAT and PAT

Practice IPsec Site-to-Site VPN questions

10Q20Q30Q50Q

All 300-410 IPsec Site-to-Site VPN questions (76)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A network engineer is troubleshooting an IPsec site-to-site VPN between two routers. The tunnel interface is up/up, but traffic from the local LAN to the remote LAN is not passing. The engineer checks the crypto map and sees it is applied to the outside interface. What is the most likely cause of the traffic failure?

2

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is not coming up. The engineer runs 'show crypto isakmp sa' and sees no active IKE SAs. The peer IP address is correctly configured. What should the engineer check first?

3

A network engineer is troubleshooting an IPsec site-to-site VPN between two Cisco routers. The tunnel is up, but traffic intermittently drops. The engineer notices that the 'show crypto ipsec sa' output shows the packet counters incrementing for both encrypt and decrypt, but the 'pkts encaps failed' counter is also increasing. What is the most likely cause?

4

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up but traffic from the remote LAN to the local LAN is not working. The engineer pings from the remote router to the local LAN IP and it succeeds. However, pings from a host on the remote LAN to a host on the local LAN fail. What is the most likely cause?

5

A network engineer is troubleshooting an IPsec site-to-site VPN that uses a GRE tunnel over IPsec. The GRE tunnel is up/up, but the routing protocol (EIGRP) running over the GRE tunnel is not forming an adjacency. The engineer checks the tunnel configuration and sees that the tunnel source and destination are correct. What is the most likely cause?

6

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up, but the engineer notices that the 'show crypto ipsec sa' output shows that the number of packets encrypted is much higher than the number of packets decrypted on the remote side. What is the most likely cause?

7

A network engineer is troubleshooting an IPsec site-to-site VPN that stopped working after a recent configuration change. The engineer runs 'show crypto isakmp sa' and sees an active IKE SA, but 'show crypto ipsec sa' shows no IPsec SAs. What is the most likely cause?

8

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up and traffic is flowing, but the engineer notices that the 'show crypto ipsec sa' output shows the 'pkts encaps failed' counter incrementing slowly over time. The tunnel remains up. What is the most likely cause?

9

A network engineer is troubleshooting an IPsec site-to-site VPN that uses a GRE tunnel. The GRE tunnel is up/up, and EIGRP is forming an adjacency over it. However, traffic from the local LAN to the remote LAN is not working. The engineer pings the remote LAN IP from the local router and it succeeds. What is the most likely cause?

10

A network engineer runs the following command on Router R1: R1# show crypto isakmp sa dst src state conn-id slot status 10.1.1.2 10.1.1.1 MM_NO_STATE 1 0 ACTIVE Based on this output, what is the problem?

11

A network engineer runs the following command on Router R1: R1# show crypto ipsec sa interface: Tunnel0 Crypto map tag: VPN-MAP, local addr 10.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #send errors 0, #recv errors 0 Based on this output, what is the problem?

12

A network engineer runs the following command on Router R1: R1# show crypto isakmp sa dst src state conn-id slot status 10.1.1.2 10.1.1.1 QM_IDLE 1 0 ACTIVE Based on this output, which statement is correct?

13

A network engineer runs the following command on Router R1: R1# show crypto ipsec sa peer 10.1.1.2 interface: Tunnel0 Crypto map tag: VPN-MAP, local addr 10.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #send errors 0, #recv errors 0 Based on this output, what is the problem?

14

A network engineer runs the following command on Router R1: R1# show crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit Protection suite of priority 20 encryption algorithm: AES - Advanced Encryption Standard (128 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit Based on this output, which statement is correct?

15

A network engineer runs the following command on Router R1: R1# show crypto ipsec transform-set Transform set ESP-AES256-SHA: { esp-256-aes esp-sha256-hmac } will negotiate = { Tunnel, }, Transform set ESP-AES128-SHA: { esp-aes esp-sha256-hmac } will negotiate = { Tunnel, }, Based on this output, which statement is correct?

16

A network engineer runs the following command on Router R1: R1# show crypto map Crypto Map "VPN-MAP" 10 ipsec-isakmp Peer = 10.1.1.2 Extended IP access list 100 access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 Current peer: 10.1.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ESP-AES256-SHA,} Interfaces using crypto map VPN-MAP: Tunnel0 Based on this output, which statement is correct?

17

A network engineer runs the following command on Router R1: R1# show crypto ipsec sa | include pkts #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 Based on this output, what is the problem?

18

A network engineer runs the following command on Router R1: R1# show crypto isakmp sa detail Codes: C - IKEv1, I - IKEv2 C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap 1 10.1.1.1 10.1.1.2 ACTIVE aes sha psk 14 23:59:59 Based on this output, which statement is correct?

19

Given the following partial configuration on router R1: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key cisco123 address 192.168.1.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 What is the effect of this configuration?

20

Consider the following configuration on router R2: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 3600 ! crypto isakmp key secretkey address 192.168.1.1 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.1 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.2 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 Which statement is true?

21

Given the partial configuration: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 ! crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 What is the effect of the 'crypto isakmp key' command with address 0.0.0.0 0.0.0.0?

22

Examine this configuration on router R1: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key cisco123 address 192.168.1.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 What is missing from this configuration to ensure the tunnel works correctly?

23

Given this configuration on router R1: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key cisco123 address 192.168.1.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 What will happen when traffic from 10.1.1.0/24 to 10.2.2.0/24 is generated?

24

Consider the following configuration on router R1: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key cisco123 address 192.168.1.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 If the remote peer has an ISAKMP policy with encryption 3des, what will happen?

25

In IPsec site-to-site VPN, what is the default lifetime for ISAKMP (IKE phase 1) security associations on Cisco IOS routers?

26

Which Diffie-Hellman group is considered the minimum recommended for secure IPsec site-to-site VPNs according to current best practices?

27

In IPsec site-to-site VPN, what is the purpose of the 'match address' command under a crypto map?

28

Which TWO commands would a network engineer use to verify the status of IPsec security associations on a Cisco IOS router? (Choose TWO.)

29

Which TWO statements about IPsec site-to-site VPN configuration using IKEv1 are true? (Choose TWO.)

30

Which TWO configuration steps are required to enable IPsec site-to-site VPN with IKEv2 on a Cisco router? (Choose TWO.)

31

Which THREE symptoms indicate a potential IPsec site-to-site VPN failure due to mismatched IKE parameters? (Choose THREE.)

32

Which THREE statements about IPsec transform sets are true? (Choose THREE.)

33

A large enterprise is using a DMVPN Phase 2 hub-and-spoke topology with IPsec protection. Spoke routers R3 and R4 are both behind NAT. The hub R1 has a tunnel interface with IPsec profile and mGRE. Spoke-to-spoke dynamic tunnels do not form. R3 can ping R4's tunnel IP via the hub, but R3's show dmvpn detail shows no NHRP redirect or shortcut. R4's show crypto ipsec sa shows no inbound/outbound SA for the R3-to-R4 traffic. What is the root cause?

34

R1 and R2 are connected via a point-to-point serial link running OSPF. R1 has an IPsec tunnel protecting traffic between loopback0 (10.1.1.1/32) and R2's loopback0 (10.2.2.2/32). The crypto map is applied to the physical serial interface. OSPF adjacencies form, but routes are not installed correctly. R1's show ip route ospf shows a route to 10.2.2.2/32 via the serial interface, not the tunnel. What is the root cause?

35

R1 and R2 are running EIGRP with IPsec site-to-site VPN over a WAN link. The tunnel interface is used for the VPN. R1's EIGRP configuration includes a distribute-list out that filters prefix 192.168.1.0/24. R2's show ip eigrp topology shows the prefix as active but never transitions to passive. R2's show ip route does not have 192.168.1.0/24. What is the root cause?

36

R1 and R2 are connected via an IPsec VPN tunnel. R1 has a static route to 10.10.10.0/24 pointing to the tunnel interface. R2 has a static route to 192.168.1.0/24 pointing to the tunnel interface. Both routers have BGP configured between loopback addresses over the tunnel. BGP peering is established, but R1 cannot ping 10.10.10.1 (R2's loopback) from its loopback. R1's show ip bgp shows the route as valid but not best. What is the root cause?

37

R1 and R2 have an IPsec VPN tunnel between their physical interfaces. They are running OSPF over the tunnel interface. R1's show ip ospf neighbor shows R2 as FULL, but R1's show ip route ospf does not include any routes from R2. R2's show ip route ospf shows routes from R1. What is the root cause?

38

R1 and R2 are connected via an IPsec VPN tunnel. They are running EIGRP over the tunnel. R1's show ip eigrp neighbors shows R2 as up, but R1's show ip eigrp topology shows all routes from R2 in passive state. However, R1's show ip route does not have any EIGRP routes from R2. What is the root cause?

39

R1 and R2 have an IPsec VPN tunnel between their physical interfaces. They are running BGP over the tunnel interface. R1's show ip bgp summary shows the BGP session with R2 as established, but R1's show ip bgp shows no routes from R2. R2's show ip bgp shows routes from R1. What is the root cause?

40

R1 and R2 are connected via an IPsec VPN tunnel. They are running OSPF over the tunnel. R1's show ip ospf neighbor shows R2 as FULL, but R1's show ip ospf database shows the LSA from R2 but with a high age (e.g., 3600). R1's show ip route does not have routes from R2. What is the root cause?

41

R1 and R2 are connected via an IPsec VPN tunnel. They are running EIGRP over the tunnel. R1's show ip eigrp neighbors shows R2 as up, but R1's show ip eigrp topology shows a route from R2 as 'stuck-in-active' (SIA). R1's show ip eigrp traffic shows queries being sent but no replies. What is the root cause?

42

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# debug crypto isakmp *Mar 1 00:01:23.456: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (N) NEW SA *Mar 1 00:01:23.457: ISAKMP: Created a peer struct for 192.168.1.2, peer port 500 *Mar 1 00:01:23.457: ISAKMP: New peer created peer = 0x12345678 peer_handle = 0x80000001 *Mar 1 00:01:23.457: ISAKMP: Locking peer struct 0x12345678, refcount 1 for crypto_isakmp_process_block *Mar 1 00:01:23.457: ISAKMP (0:0): SA request profile is (default) *Mar 1 00:01:23.457: ISAKMP: local port 500, remote port 500 *Mar 1 00:01:23.458: ISAKMP (0:0): found peer pre-shared-key matching 192.168.1.2 *Mar 1 00:01:23.458: ISAKMP (0:0): constructed NAT-T vendor ID *Mar 1 00:01:23.458: ISAKMP (0:0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE *Mar 1 00:01:23.458: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE *Mar 1 00:01:23.459: ISAKMP (0:0): processing SA payload. message ID = 0 *Mar 1 00:01:23.459: ISAKMP (0:0): Checking ISAKMP transform 1 against priority 1 policy *Mar 1 00:01:23.459: ISAKMP: encryption DES-CBC *Mar 1 00:01:23.459: ISAKMP: hash SHA *Mar 1 00:01:23.459: ISAKMP: default group 2 *Mar 1 00:01:23.459: ISAKMP: auth pre-share *Mar 1 00:01:23.459: ISAKMP (0:0): atts are not acceptable. Next transforms are not acceptable *Mar 1 00:01:23.460: ISAKMP (0:0): no offers accepted! What does this output indicate?

43

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# debug crypto ipsec *Mar 1 00:02:34.567: IPSEC(sa_request): , (key eng. msg.) src=10.0.0.1, dst=10.0.0.2, src_proxy=192.168.1.0/255.255.255.0/0/0, dst_proxy=192.168.2.0/255.255.255.0/0/0, *Mar 1 00:02:34.567: IPSEC(validate_proposal): transform proposal (esp-3des esp-sha-hmac) not supported for proxy 192.168.1.0/255.255.255.0/0/0 *Mar 1 00:02:34.567: IPSEC(validate_proposal): proposal doesn't match! *Mar 1 00:02:34.568: IPSEC(create_sa): SA created with (0x1234, 0x5678) but no inbound or outbound SPI What does this output indicate?

44

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto isakmp sa detail IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1001 192.168.1.1 192.168.2.2 ACTIVE des sha pre 2 23:59:21 1002 192.168.1.1 192.168.2.2 ACTIVE 3des sha pre 2 23:58:15 IPv6 Crypto ISAKMP SA What does this output indicate?

45

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto ipsec sa detail interface: Tunnel0 Crypto map tag: CMAP, local addr 192.168.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer 192.168.2.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x0(0) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 0, flow_id: 0, sibling_flags 80000000, crypto map: CMAP sa timing: remaining key lifetime (k/sec): (0/0) IV size: 8 bytes replay detection support: N outbound esp sas: spi: 0x0(0) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 0, flow_id: 0, sibling_flags 80000000, crypto map: CMAP sa timing: remaining key lifetime (k/sec): (0/0) IV size: 8 bytes replay detection support: N What does this output indicate?

46

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto ipsec transform-set Transform set combined-des-sha: { esp-des esp-sha-hmac } will negotiate = { Tunnel, }, Transform set myset: { esp-3des esp-sha-hmac } will negotiate = { Tunnel, }, Transform set strong: { esp-aes 256 esp-sha-hmac } will negotiate = { Tunnel, }, What does this output indicate?

47

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto engine connections active Crypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqNo 1 IPsec ESP-3DES+SHA 0 0 0 2 IPsec ESP-3DES+SHA 0 0 0 3 IPsec ESP-AES+SHA 0 0 0 What does this output indicate?

48

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto map Crypto Map "CMAP" 10 ipsec-isakmp Peer = 192.168.2.2 Extended IP access list 101 access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 Current peer: 192.168.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={myset, } Interfaces using crypto map CMAP: Tunnel0 What does this output indicate?

49

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show ip route 192.168.2.0 Routing entry for 192.168.2.0/24 Known via "eigrp 100", distance 90, metric 2684416, type internal Redistributing via eigrp 100 Last update from 10.0.0.2 on Tunnel0, 00:00:23 ago Routing Descriptor Blocks: * 10.0.0.2, from 10.0.0.2, via Tunnel0 Route metric is 2684416, traffic share count is 1 Total delay is 20000 microseconds, minimum bandwidth is 100000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 1 What does this output indicate?

50

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue: R1# show crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #5 (1536 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit What does this output indicate?

51

What is the default IKE (ISAKMP) lifetime value in Cisco IOS for IPsec Site-to-Site VPN?

52

Which default IPsec transform set is automatically created in Cisco IOS when configuring a site-to-site VPN?

53

In IPsec site-to-site VPN, what is the default Diffie-Hellman (DH) group used in IKEv1 phase 1 on Cisco IOS?

54

Which statement correctly describes the default behavior of Dead Peer Detection (DPD) in Cisco IOS for IPsec site-to-site VPN?

55

In IPsec site-to-site VPN, what is the default IPsec SA lifetime in Cisco IOS?

56

Which authentication method is used by default in IKEv1 main mode for IPsec site-to-site VPN on Cisco IOS?

57

In Cisco IOS, what is the default encryption algorithm for IKEv1 phase 1 if not specified in the ISAKMP policy?

58

What is the default hash algorithm for IKEv1 phase 1 in Cisco IOS when not explicitly configured?

59

In Cisco IOS, what is the default IKEv1 phase 1 authentication method when using a pre-shared key and no explicit authentication is configured?

60

Drag and drop the steps to negotiate an IKEv2 IPsec site-to-site tunnel into the correct order, from first to last.

61

Drag and drop the steps to troubleshoot an IPsec site-to-site VPN adjacency failure into the correct order, from first to last.

62

Drag and drop the steps to verify and validate the operational state of an IPsec site-to-site VPN into the correct order, from first to last.

63

Which TWO statements correctly describe the use of IKEv2 for IPsec site-to-site VPNs? (Choose TWO.)

64

Which TWO configuration changes are required to enable IPsec site-to-site VPN with IKEv2 and pre-shared keys on a Cisco IOS router? (Choose TWO.)

65

Which TWO statements about IPsec transform sets and security associations (SAs) are true? (Choose TWO.)

66

Which TWO statements about IPsec site-to-site VPN troubleshooting using 'show crypto session' and 'show crypto ipsec sa' are correct? (Choose TWO.)

67

Which TWO actions will prevent an IPsec site-to-site VPN tunnel from coming up when using IKEv2 and pre-shared keys? (Choose TWO.)

68

An engineer configures a site-to-site IPsec VPN between two routers using OSPF as the routing protocol. The OSPF neighbor becomes stuck in EXSTART state. The engineer verifies that the IPsec tunnel is up and that both routers can ping each other's tunnel interfaces. What is the most likely cause of the OSPF adjacency issue?

69

An engineer configures an IPsec site-to-site VPN between two routers running EIGRP. The EIGRP neighbor forms, but routes are not being exchanged. The engineer notices that the EIGRP neighbor is stuck in active state for certain routes. What is the most likely explanation?

70

An engineer configures an IPsec site-to-site VPN between two routers using iBGP for routing. The BGP session comes up, but routes learned from the remote site are not installed in the routing table. The engineer verifies that the IPsec tunnel is up and that the BGP prefixes are present in the BGP table. What is the most likely explanation?

71

An engineer configures mutual redistribution between OSPF and EIGRP on a router that is part of an IPsec site-to-site VPN. After the configuration, routing loops occur intermittently. The engineer has not used any route tagging. What is the most likely cause of the routing loops?

72

An engineer configures a DMVPN Phase 2 network with IPsec protection. Spoke-to-spoke tunnels form, but traffic between spokes is not being forwarded directly; it still goes through the hub. The engineer verifies that NHRP registrations are successful and that the spoke-to-spoke IPsec sessions are established. What is the most likely explanation?

73

An engineer configures an IPsec site-to-site VPN using IKEv1 with aggressive mode. The VPN tunnel establishes, but after some time, the tunnel goes down and re-establishes repeatedly. The engineer notices that the ISAKMP SA lifetime is set to 86400 seconds on one router and 3600 seconds on the other. What is the most likely explanation for the instability?

74

An engineer configures Control Plane Policing (CoPP) on a router that terminates multiple IPsec site-to-site VPN tunnels. After applying the CoPP policy, some IPsec tunnels fail to establish, while others work fine. The engineer verifies that the CoPP policy permits IKE (UDP 500) and ESP (protocol 50) traffic. What is the most likely cause of the failure?

75

An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on the outside interface of a router that terminates an IPsec site-to-site VPN. After the configuration, the VPN tunnel establishes, but traffic from the remote site is not forwarded correctly. The engineer verifies that the IPsec tunnel is up and that the routing table has the correct routes. What is the most likely explanation?

76

An engineer configures an IPsec site-to-site VPN between two routers using OSPF as the routing protocol. The OSPF neighbor forms, but routes are not being exchanged. The engineer verifies that the IPsec tunnel is up and that OSPF packets are being encrypted. The OSPF network type on the tunnel interface is set to broadcast. What is the most likely explanation for the missing routes?

Practice all 76 IPsec Site-to-Site VPN questions

Other 300-410 exam domains

Layer 3 TechnologiesEIGRP TroubleshootingOSPF Troubleshooting (v2/v3)BGP TroubleshootingRoute RedistributionPolicy-Based Routing (PBR)VRF-LiteRoute Maps and Route FilteringAdministrative DistanceRoute SummarizationBidirectional Forwarding Detection (BFD)VPN TechnologiesMPLS OperationsMPLS L3VPNDMVPNIPv6 Tunneling TechniquesInfrastructure SecurityDevice Access ControlIPv4 Access Control ListsIPv6 Traffic Filtering and uRPFControl Plane Policing (CoPP)IPv6 First Hop SecurityInfrastructure ServicesDevice ManagementSNMP TroubleshootingNetwork Logging and SyslogEmbedded Event Manager (EEM)IP SLANetFlow and Flexible NetFlowSPAN, RSPAN, and ERSPANDHCP (IPv4 and IPv6)NAT and PAT

Frequently asked questions

What does the IPsec Site-to-Site VPN domain cover on the 300-410 exam?

The IPsec Site-to-Site VPN domain covers the key concepts tested in this area of the 300-410 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 300-410 domains — no account required.

How many IPsec Site-to-Site VPN questions are in the 300-410 question bank?

The Courseiva 300-410 question bank contains 76 questions in the IPsec Site-to-Site VPN domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice IPsec Site-to-Site VPN for 300-410?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only IPsec Site-to-Site VPN questions for 300-410?

Yes — the session launcher on this page draws questions exclusively from the IPsec Site-to-Site VPN domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your 300-410 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide