Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›300-410›Objectives›IPsec Site-to-Site VPN
Objective 204.0

IPsec Site-to-Site VPN

300-410 Practice Questions

Full Practice Test →All Objectives

300-410 IPsec Site-to-Site VPN — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN between two routers. The tunnel interface is up/up, but traffic from the local LAN to the remote LAN is not passing. The engineer checks the crypto map and sees it is applied to the outside interface. What is the most likely cause of the traffic failure?

Question 3mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is not coming up. The engineer runs 'show crypto isakmp sa' and sees no active IKE SAs. The peer IP address is correctly configured. What should the engineer check first?

Question 4hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN between two Cisco routers. The tunnel is up, but traffic intermittently drops. The engineer notices that the 'show crypto ipsec sa' output shows the packet counters incrementing for both encrypt and decrypt, but the 'pkts encaps failed' counter is also increasing. What is the most likely cause?

Question 5hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up but traffic from the remote LAN to the local LAN is not working. The engineer pings from the remote router to the local LAN IP and it succeeds. However, pings from a host on the remote LAN to a host on the local LAN fail. What is the most likely cause?

Question 6mediummultiple choice
Study the full EIGRP explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN that uses a GRE tunnel over IPsec. The GRE tunnel is up/up, but the routing protocol (EIGRP) running over the GRE tunnel is not forming an adjacency. The engineer checks the tunnel configuration and sees that the tunnel source and destination are correct. What is the most likely cause?

Question 7hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up, but the engineer notices that the 'show crypto ipsec sa' output shows that the number of packets encrypted is much higher than the number of packets decrypted on the remote side. What is the most likely cause?

Question 8mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN that stopped working after a recent configuration change. The engineer runs 'show crypto isakmp sa' and sees an active IKE SA, but 'show crypto ipsec sa' shows no IPsec SAs. What is the most likely cause?

Question 9hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up and traffic is flowing, but the engineer notices that the 'show crypto ipsec sa' output shows the 'pkts encaps failed' counter incrementing slowly over time. The tunnel remains up. What is the most likely cause?

Question 10mediummultiple choice
Study the full EIGRP explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN that uses a GRE tunnel. The GRE tunnel is up/up, and EIGRP is forming an adjacency over it. However, traffic from the local LAN to the remote LAN is not working. The engineer pings the remote LAN IP from the local router and it succeeds. What is the most likely cause?

Question 11mediummultiple choice
Review the full routing breakdown →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp sa

dst src state conn-id slot status

10.1.1.2        10.1.1.1        MM_NO_STATE       1    0    ACTIVE

Based on this output, what is the problem?

Question 12mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto ipsec sa
interface: Tunnel0
    Crypto map tag: VPN-MAP, local addr 10.1.1.1

protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #send errors 0, #recv errors 0

Based on this output, what is the problem?

Question 13easymultiple choice
Review the full routing breakdown →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp sa

dst src state conn-id slot status

10.1.1.2        10.1.1.1        QM_IDLE           1    0    ACTIVE

Based on this output, which statement is correct?

Question 14mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto ipsec sa peer 10.1.1.2
interface: Tunnel0
    Crypto map tag: VPN-MAP, local addr 10.1.1.1

protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #send errors 0, #recv errors 0

Based on this output, what is the problem?

Question 15easymultiple choice
Review the full routing breakdown →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp policy

Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit

Protection suite of priority 20 encryption algorithm: AES - Advanced Encryption Standard (128 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit

Based on this output, which statement is correct?

Question 16easymultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto ipsec transform-set

Transform set ESP-AES256-SHA: { esp-256-aes esp-sha256-hmac } will negotiate = { Tunnel, },

Transform set ESP-AES128-SHA: { esp-aes esp-sha256-hmac } will negotiate = { Tunnel, },

Based on this output, which statement is correct?

Question 17mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto map
Crypto Map "VPN-MAP" 10 ipsec-isakmp

Peer = 10.1.1.2 Extended IP access list 100

access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

Current peer: 10.1.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ESP-AES256-SHA,}

Interfaces using crypto map VPN-MAP:

Tunnel0

Based on this output, which statement is correct?

Question 18mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto ipsec sa | include pkts

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Based on this output, what is the problem?

Question 19mediummultiple choice
Read the full VRF explanation →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp sa detail

Codes: C - IKEv1, I - IKEv2

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap 1 10.1.1.1 10.1.1.2 ACTIVE aes sha psk 14 23:59:59

Based on this output, which statement is correct?

Question 20mediummultiple choice
Read the full VPN explanation →

Given the following partial configuration on router R1:

crypto isakmp policy 10

encryption aes 256 authentication pre-share group 14 lifetime 86400 !

crypto isakmp key cisco123 address 192.168.1.2

!

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.2 set transform-set TSET match address 101 !

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 crypto map CMAP

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

What is the effect of this configuration?

Question 21mediummultiple choice
Read the full VPN explanation →

Consider the following configuration on router R2:

crypto isakmp policy 10

encryption aes 256 authentication pre-share group 14 lifetime 3600 !

crypto isakmp key secretkey address 192.168.1.1

!

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.1 set transform-set TSET match address 101 !

interface GigabitEthernet0/1
 ip address 192.168.1.2 255.255.255.0
 crypto map CMAP

!

access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Which statement is true?

Question 22mediummultiple choice
Read the full VPN explanation →

Given the partial configuration:

crypto isakmp policy 10

encryption aes 256 authentication pre-share group 14 !

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.2 set transform-set TSET match address 101 !

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 crypto map CMAP

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

What is the effect of the 'crypto isakmp key' command with address 0.0.0.0 0.0.0.0?

Question 23mediummultiple choice
Read the full VPN explanation →

Examine this configuration on router R1:

crypto isakmp policy 10

encryption aes 256 authentication pre-share group 14 lifetime 86400 !

crypto isakmp key cisco123 address 192.168.1.2

!

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.2 set transform-set TSET match address 101 !

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 crypto map CMAP

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

What is missing from this configuration to ensure the tunnel works correctly?

Question 24mediummultiple choice
Read the full VPN explanation →

Given this configuration on router R1:

crypto isakmp policy 10

encryption aes 256 authentication pre-share group 14 lifetime 86400 !

crypto isakmp key cisco123 address 192.168.1.2

!

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.2 set transform-set TSET match address 101 !

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

What will happen when traffic from 10.1.1.0/24 to 10.2.2.0/24 is generated?

Question 25mediummultiple choice
Read the full VPN explanation →

Consider the following configuration on router R1:

crypto isakmp policy 10

encryption aes 256 authentication pre-share group 14 lifetime 86400 !

crypto isakmp key cisco123 address 192.168.1.2

!

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.2 set transform-set TSET match address 101 !

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 crypto map CMAP

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

If the remote peer has an ISAKMP policy with encryption 3des, what will happen?

Question 26easymultiple choice
Read the full VPN explanation →

In IPsec site-to-site VPN, what is the default lifetime for ISAKMP (IKE phase 1) security associations on Cisco IOS routers?

Question 27mediummultiple choice
Read the full VPN explanation →

Which Diffie-Hellman group is considered the minimum recommended for secure IPsec site-to-site VPNs according to current best practices?

Question 28easymultiple choice
Read the full VPN explanation →

In IPsec site-to-site VPN, what is the purpose of the 'match address' command under a crypto map?

Question 29mediummulti select
Read the full VPN explanation →

Which TWO commands would a network engineer use to verify the status of IPsec security associations on a Cisco IOS router? (Choose TWO.)

Question 30mediummulti select
Read the full VPN explanation →

Which TWO statements about IPsec site-to-site VPN configuration using IKEv1 are true? (Choose TWO.)

Question 31hardmulti select
Read the full VPN explanation →

Which TWO configuration steps are required to enable IPsec site-to-site VPN with IKEv2 on a Cisco router? (Choose TWO.)

More IPsec Site-to-Site VPN questions available in the full practice test.

Continue Practising →
←

Previous objective

DMVPN

Next objective

IPv6 Tunneling Techniques

→

All 300-410 Objectives

  • 100.Layer 3 Technologies35%
  • 101.EIGRP Troubleshooting
  • 102.OSPF Troubleshooting (v2/v3)
  • 103.BGP Troubleshooting
  • 104.Route Redistribution
  • 105.Policy-Based Routing (PBR)
  • 106.VRF-Lite
  • 107.Route Maps and Route Filtering
  • 108.Administrative Distance
  • 109.Route Summarization
  • 110.Bidirectional Forwarding Detection (BFD)
  • 200.VPN Technologies20%
  • 201.MPLS Operations
  • 202.MPLS L3VPN
  • 203.DMVPN
  • 204.IPsec Site-to-Site VPN
  • 205.IPv6 Tunneling Techniques
  • 300.Infrastructure Security20%
  • 301.Device Access Control
  • 302.IPv4 Access Control Lists
  • 303.IPv6 Traffic Filtering and uRPF
  • 304.Control Plane Policing (CoPP)
  • 305.IPv6 First Hop Security
  • 400.Infrastructure Services25%
  • 401.Device Management
  • 402.SNMP Troubleshooting
  • 403.Network Logging and Syslog
  • 404.Embedded Event Manager (EEM)
  • 405.IP SLA
  • 406.NetFlow and Flexible NetFlow
  • 407.SPAN, RSPAN, and ERSPAN
  • 408.DHCP (IPv4 and IPv6)
  • 409.NAT and PAT