Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← IPsec Site-to-Site VPN practice sets

300-410 IPsec Site-to-Site VPN • Complete Question Bank

300-410 IPsec Site-to-Site VPN — All Questions With Answers

Complete 300-410 IPsec Site-to-Site VPN question bank — all 0 questions with answers and detailed explanations.

76
Questions
Free
No signup
Certifications/300-410/Practice Test/IPsec Site-to-Site VPN/All Questions
Question 1mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN between two routers. The tunnel interface is up/up, but traffic from the local LAN to the remote LAN is not passing. The engineer checks the crypto map and sees it is applied to the outside interface. What is the most likely cause of the traffic failure?

Question 2mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is not coming up. The engineer runs 'show crypto isakmp sa' and sees no active IKE SAs. The peer IP address is correctly configured. What should the engineer check first?

Question 3hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN between two Cisco routers. The tunnel is up, but traffic intermittently drops. The engineer notices that the 'show crypto ipsec sa' output shows the packet counters incrementing for both encrypt and decrypt, but the 'pkts encaps failed' counter is also increasing. What is the most likely cause?

Question 4hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up but traffic from the remote LAN to the local LAN is not working. The engineer pings from the remote router to the local LAN IP and it succeeds. However, pings from a host on the remote LAN to a host on the local LAN fail. What is the most likely cause?

Question 5mediummultiple choice
Study the full EIGRP explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN that uses a GRE tunnel over IPsec. The GRE tunnel is up/up, but the routing protocol (EIGRP) running over the GRE tunnel is not forming an adjacency. The engineer checks the tunnel configuration and sees that the tunnel source and destination are correct. What is the most likely cause?

Question 6hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up, but the engineer notices that the 'show crypto ipsec sa' output shows that the number of packets encrypted is much higher than the number of packets decrypted on the remote side. What is the most likely cause?

Question 7mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN that stopped working after a recent configuration change. The engineer runs 'show crypto isakmp sa' and sees an active IKE SA, but 'show crypto ipsec sa' shows no IPsec SAs. What is the most likely cause?

Question 8hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up and traffic is flowing, but the engineer notices that the 'show crypto ipsec sa' output shows the 'pkts encaps failed' counter incrementing slowly over time. The tunnel remains up. What is the most likely cause?

Question 9mediummultiple choice
Study the full EIGRP explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN that uses a GRE tunnel. The GRE tunnel is up/up, and EIGRP is forming an adjacency over it. However, traffic from the local LAN to the remote LAN is not working. The engineer pings the remote LAN IP from the local router and it succeeds. What is the most likely cause?

Question 10mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp sa

dst src state conn-id slot status

10.1.1.2        10.1.1.1        MM_NO_STATE       1    0    ACTIVE

Based on this output, what is the problem?

Question 11mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto ipsec sa
interface: Tunnel0
    Crypto map tag: VPN-MAP, local addr 10.1.1.1

protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #send errors 0, #recv errors 0

Based on this output, what is the problem?

Question 12easymultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp sa

dst src state conn-id slot status

10.1.1.2        10.1.1.1        QM_IDLE           1    0    ACTIVE

Based on this output, which statement is correct?

Question 13mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto ipsec sa peer 10.1.1.2
interface: Tunnel0
    Crypto map tag: VPN-MAP, local addr 10.1.1.1

protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #send errors 0, #recv errors 0

Based on this output, what is the problem?

Question 14easymultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp policy

Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit

Protection suite of priority 20 encryption algorithm: AES - Advanced Encryption Standard (128 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit

Based on this output, which statement is correct?

Question 15easymultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto ipsec transform-set

Transform set ESP-AES256-SHA: { esp-256-aes esp-sha256-hmac } will negotiate = { Tunnel, },

Transform set ESP-AES128-SHA: { esp-aes esp-sha256-hmac } will negotiate = { Tunnel, },

Based on this output, which statement is correct?

Question 16mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto map
Crypto Map "VPN-MAP" 10 ipsec-isakmp

Peer = 10.1.1.2 Extended IP access list 100

access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

Current peer: 10.1.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ESP-AES256-SHA,}

Interfaces using crypto map VPN-MAP:

Tunnel0

Based on this output, which statement is correct?

Question 17mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto ipsec sa | include pkts

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Based on this output, what is the problem?

Question 18mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp sa detail

Codes: C - IKEv1, I - IKEv2

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap 1 10.1.1.1 10.1.1.2 ACTIVE aes sha psk 14 23:59:59

Based on this output, which statement is correct?

Question 19mediummultiple choice
Read the full VPN explanation →

Given the following partial configuration on router R1:

crypto isakmp policy 10

encryption aes 256 authentication pre-share group 14 lifetime 86400 !

crypto isakmp key cisco123 address 192.168.1.2

!

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.2 set transform-set TSET match address 101 !

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 crypto map CMAP

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

What is the effect of this configuration?

Question 20mediummultiple choice
Read the full VPN explanation →

Consider the following configuration on router R2:

crypto isakmp policy 10

encryption aes 256 authentication pre-share group 14 lifetime 3600 !

crypto isakmp key secretkey address 192.168.1.1

!

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.1 set transform-set TSET match address 101 !

interface GigabitEthernet0/1
 ip address 192.168.1.2 255.255.255.0
 crypto map CMAP

!

access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Which statement is true?

Question 21mediummultiple choice
Read the full VPN explanation →

Given the partial configuration:

crypto isakmp policy 10

encryption aes 256 authentication pre-share group 14 !

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.2 set transform-set TSET match address 101 !

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 crypto map CMAP

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

What is the effect of the 'crypto isakmp key' command with address 0.0.0.0 0.0.0.0?

Question 22mediummultiple choice
Read the full VPN explanation →

Examine this configuration on router R1:

crypto isakmp policy 10

encryption aes 256 authentication pre-share group 14 lifetime 86400 !

crypto isakmp key cisco123 address 192.168.1.2

!

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.2 set transform-set TSET match address 101 !

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 crypto map CMAP

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

What is missing from this configuration to ensure the tunnel works correctly?

Question 23mediummultiple choice
Read the full VPN explanation →

Given this configuration on router R1:

crypto isakmp policy 10

encryption aes 256 authentication pre-share group 14 lifetime 86400 !

crypto isakmp key cisco123 address 192.168.1.2

!

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.2 set transform-set TSET match address 101 !

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

What will happen when traffic from 10.1.1.0/24 to 10.2.2.0/24 is generated?

Question 24mediummultiple choice
Read the full VPN explanation →

Consider the following configuration on router R1:

crypto isakmp policy 10

encryption aes 256 authentication pre-share group 14 lifetime 86400 !

crypto isakmp key cisco123 address 192.168.1.2

!

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.2 set transform-set TSET match address 101 !

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 crypto map CMAP

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

If the remote peer has an ISAKMP policy with encryption 3des, what will happen?

Question 25easymultiple choice
Read the full VPN explanation →

In IPsec site-to-site VPN, what is the default lifetime for ISAKMP (IKE phase 1) security associations on Cisco IOS routers?

Question 26mediummultiple choice
Read the full VPN explanation →

Which Diffie-Hellman group is considered the minimum recommended for secure IPsec site-to-site VPNs according to current best practices?

Question 27easymultiple choice
Read the full VPN explanation →

In IPsec site-to-site VPN, what is the purpose of the 'match address' command under a crypto map?

Question 28mediummulti select
Read the full VPN explanation →

Which TWO commands would a network engineer use to verify the status of IPsec security associations on a Cisco IOS router? (Choose TWO.)

Question 29mediummulti select
Read the full VPN explanation →

Which TWO statements about IPsec site-to-site VPN configuration using IKEv1 are true? (Choose TWO.)

Question 30hardmulti select
Read the full VPN explanation →

Which TWO configuration steps are required to enable IPsec site-to-site VPN with IKEv2 on a Cisco router? (Choose TWO.)

Question 31hardmulti select
Read the full VPN explanation →

Which THREE symptoms indicate a potential IPsec site-to-site VPN failure due to mismatched IKE parameters? (Choose THREE.)

Question 32mediummulti select
Read the full VPN explanation →

Which THREE statements about IPsec transform sets are true? (Choose THREE.)

Question 33hardmultiple choice
Read the full VPN explanation →

A large enterprise is using a DMVPN Phase 2 hub-and-spoke topology with IPsec protection. Spoke routers R3 and R4 are both behind NAT. The hub R1 has a tunnel interface with IPsec profile and mGRE. Spoke-to-spoke dynamic tunnels do not form. R3 can ping R4's tunnel IP via the hub, but R3's show dmvpn detail shows no NHRP redirect or shortcut. R4's show crypto ipsec sa shows no inbound/outbound SA for the R3-to-R4 traffic. What is the root cause?

Question 34hardmultiple choice
Review the full OSPF breakdown →

R1 and R2 are connected via a point-to-point serial link running OSPF. R1 has an IPsec tunnel protecting traffic between loopback0 (10.1.1.1/32) and R2's loopback0 (10.2.2.2/32). The crypto map is applied to the physical serial interface. OSPF adjacencies form, but routes are not installed correctly. R1's show ip route ospf shows a route to 10.2.2.2/32 via the serial interface, not the tunnel. What is the root cause?

Question 35hardmultiple choice
Study the full EIGRP explanation →

R1 and R2 are running EIGRP with IPsec site-to-site VPN over a WAN link. The tunnel interface is used for the VPN. R1's EIGRP configuration includes a distribute-list out that filters prefix 192.168.1.0/24. R2's show ip eigrp topology shows the prefix as active but never transitions to passive. R2's show ip route does not have 192.168.1.0/24. What is the root cause?

Question 36hardmultiple choice
Open the full BGP breakdown →

R1 and R2 are connected via an IPsec VPN tunnel. R1 has a static route to 10.10.10.0/24 pointing to the tunnel interface. R2 has a static route to 192.168.1.0/24 pointing to the tunnel interface. Both routers have BGP configured between loopback addresses over the tunnel. BGP peering is established, but R1 cannot ping 10.10.10.1 (R2's loopback) from its loopback. R1's show ip bgp shows the route as valid but not best. What is the root cause?

Question 37hardmultiple choice
Review the full OSPF breakdown →

R1 and R2 have an IPsec VPN tunnel between their physical interfaces. They are running OSPF over the tunnel interface. R1's show ip ospf neighbor shows R2 as FULL, but R1's show ip route ospf does not include any routes from R2. R2's show ip route ospf shows routes from R1. What is the root cause?

Question 38hardmultiple choice
Study the full EIGRP explanation →

R1 and R2 are connected via an IPsec VPN tunnel. They are running EIGRP over the tunnel. R1's show ip eigrp neighbors shows R2 as up, but R1's show ip eigrp topology shows all routes from R2 in passive state. However, R1's show ip route does not have any EIGRP routes from R2. What is the root cause?

Question 39hardmultiple choice
Open the full BGP breakdown →

R1 and R2 have an IPsec VPN tunnel between their physical interfaces. They are running BGP over the tunnel interface. R1's show ip bgp summary shows the BGP session with R2 as established, but R1's show ip bgp shows no routes from R2. R2's show ip bgp shows routes from R1. What is the root cause?

Question 40hardmultiple choice
Review the full OSPF breakdown →

R1 and R2 are connected via an IPsec VPN tunnel. They are running OSPF over the tunnel. R1's show ip ospf neighbor shows R2 as FULL, but R1's show ip ospf database shows the LSA from R2 but with a high age (e.g., 3600). R1's show ip route does not have routes from R2. What is the root cause?

Question 41hardmultiple choice
Study the full EIGRP explanation →

R1 and R2 are connected via an IPsec VPN tunnel. They are running EIGRP over the tunnel. R1's show ip eigrp neighbors shows R2 as up, but R1's show ip eigrp topology shows a route from R2 as 'stuck-in-active' (SIA). R1's show ip eigrp traffic shows queries being sent but no replies. What is the root cause?

Question 42mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:

R1# debug crypto isakmp

*Mar  1 00:01:23.456: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (N) NEW SA
*Mar  1 00:01:23.457: ISAKMP: Created a peer struct for 192.168.1.2, peer port 500
*Mar  1 00:01:23.457: ISAKMP: New peer created peer = 0x12345678 peer_handle = 0x80000001
*Mar  1 00:01:23.457: ISAKMP: Locking peer struct 0x12345678, refcount 1 for crypto_isakmp_process_block
*Mar  1 00:01:23.457: ISAKMP (0:0): SA request profile is (default)
*Mar  1 00:01:23.457: ISAKMP: local port 500, remote port 500
*Mar  1 00:01:23.458: ISAKMP (0:0): found peer pre-shared-key matching 192.168.1.2
*Mar  1 00:01:23.458: ISAKMP (0:0): constructed NAT-T vendor ID
*Mar  1 00:01:23.458: ISAKMP (0:0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:01:23.458: ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar  1 00:01:23.459: ISAKMP (0:0): processing SA payload. message ID = 0
*Mar  1 00:01:23.459: ISAKMP (0:0): Checking ISAKMP transform 1 against priority 1 policy
*Mar  1 00:01:23.459: ISAKMP:      encryption DES-CBC
*Mar  1 00:01:23.459: ISAKMP:      hash SHA
*Mar  1 00:01:23.459: ISAKMP:      default group 2
*Mar  1 00:01:23.459: ISAKMP:      auth pre-share
*Mar  1 00:01:23.459: ISAKMP (0:0): atts are not acceptable. Next transforms are not acceptable
*Mar  1 00:01:23.460: ISAKMP (0:0): no offers accepted!

What does this output indicate?

Question 43mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:

R1# debug crypto ipsec

*Mar  1 00:02:34.567: IPSEC(sa_request): , (key eng. msg.) src=10.0.0.1, dst=10.0.0.2, src_proxy=192.168.1.0/255.255.255.0/0/0, dst_proxy=192.168.2.0/255.255.255.0/0/0, 
*Mar  1 00:02:34.567: IPSEC(validate_proposal): transform proposal (esp-3des esp-sha-hmac) not supported for proxy 192.168.1.0/255.255.255.0/0/0
*Mar  1 00:02:34.567: IPSEC(validate_proposal): proposal doesn't match!
*Mar  1 00:02:34.568: IPSEC(create_sa): SA created with (0x1234, 0x5678) but no inbound or outbound SPI

What does this output indicate?

Question 44easymultiple choice
Study the full IPv6 explanation →

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:

R1# show crypto isakmp sa detail

IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1001 192.168.1.1 192.168.2.2 ACTIVE des sha pre 2 23:59:21 1002 192.168.1.1 192.168.2.2 ACTIVE 3des sha pre 2 23:58:15

IPv6 Crypto ISAKMP SA

What does this output indicate?

Question 45mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:

R1# show crypto ipsec sa detail

interface: Tunnel0
    Crypto map tag: CMAP, local addr 192.168.1.1

protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer 192.168.2.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none

inbound esp sas: spi: 0x0(0) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 0, flow_id: 0, sibling_flags 80000000, crypto map: CMAP sa timing: remaining key lifetime (k/sec): (0/0) IV size: 8 bytes replay detection support: N

outbound esp sas: spi: 0x0(0) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 0, flow_id: 0, sibling_flags 80000000, crypto map: CMAP sa timing: remaining key lifetime (k/sec): (0/0) IV size: 8 bytes replay detection support: N

What does this output indicate?

Question 46easymultiple choice
Read the full VPN explanation →

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:

R1# show crypto ipsec transform-set

Transform set combined-des-sha: { esp-des esp-sha-hmac } will negotiate = { Tunnel, }, Transform set myset: { esp-3des esp-sha-hmac } will negotiate = { Tunnel, }, Transform set strong: { esp-aes 256 esp-sha-hmac } will negotiate = { Tunnel, },

What does this output indicate?

Question 47easymultiple choice
Read the full VPN explanation →

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:

R1# show crypto engine connections active

Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqNo 1 IPsec ESP-3DES+SHA 0 0 0 2 IPsec ESP-3DES+SHA 0 0 0 3 IPsec ESP-AES+SHA 0 0 0

What does this output indicate?

Question 48easymultiple choice
Read the full VPN explanation →

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:

R1# show crypto map

Crypto Map "CMAP" 10 ipsec-isakmp

Peer = 192.168.2.2 Extended IP access list 101

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Current peer: 192.168.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={myset, }

Interfaces using crypto map CMAP:

Tunnel0

What does this output indicate?

Question 49mediummultiple choice
Study the full EIGRP explanation →

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:

R1# show ip route 192.168.2.0

Routing entry for 192.168.2.0/24 Known via "eigrp 100", distance 90, metric 2684416, type internal Redistributing via eigrp 100 Last update from 10.0.0.2 on Tunnel0, 00:00:23 ago Routing Descriptor Blocks:

* 10.0.0.2, from 10.0.0.2, via Tunnel0

Route metric is 2684416, traffic share count is 1 Total delay is 20000 microseconds, minimum bandwidth is 100000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 1

What does this output indicate?

Question 50mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command to troubleshoot an IPsec Site-to-Site VPN issue:

R1# show crypto isakmp policy

Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #5 (1536 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit

What does this output indicate?

Question 51easymultiple choice
Read the full VPN explanation →

What is the default IKE (ISAKMP) lifetime value in Cisco IOS for IPsec Site-to-Site VPN?

Question 52mediummultiple choice
Read the full VPN explanation →

Which default IPsec transform set is automatically created in Cisco IOS when configuring a site-to-site VPN?

Question 53hardmultiple choice
Read the full VPN explanation →

In IPsec site-to-site VPN, what is the default Diffie-Hellman (DH) group used in IKEv1 phase 1 on Cisco IOS?

Question 54mediummultiple choice
Read the full VPN explanation →

Which statement correctly describes the default behavior of Dead Peer Detection (DPD) in Cisco IOS for IPsec site-to-site VPN?

Question 55easymultiple choice
Read the full VPN explanation →

In IPsec site-to-site VPN, what is the default IPsec SA lifetime in Cisco IOS?

Question 56hardmultiple choice
Read the full VPN explanation →

Which authentication method is used by default in IKEv1 main mode for IPsec site-to-site VPN on Cisco IOS?

Question 57hardmultiple choice
Read the full VPN explanation →

In Cisco IOS, what is the default encryption algorithm for IKEv1 phase 1 if not specified in the ISAKMP policy?

Question 58mediummultiple choice
Read the full VPN explanation →

What is the default hash algorithm for IKEv1 phase 1 in Cisco IOS when not explicitly configured?

Question 59hardmultiple choice
Read the full VPN explanation →

In Cisco IOS, what is the default IKEv1 phase 1 authentication method when using a pre-shared key and no explicit authentication is configured?

Question 60mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to negotiate an IKEv2 IPsec site-to-site tunnel into the correct order, from first to last.

Question 61harddrag order
Read the full VPN explanation →

Drag and drop the steps to troubleshoot an IPsec site-to-site VPN adjacency failure into the correct order, from first to last.

Question 62mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to verify and validate the operational state of an IPsec site-to-site VPN into the correct order, from first to last.

Question 63hardmulti select
Read the full VPN explanation →

Which TWO statements correctly describe the use of IKEv2 for IPsec site-to-site VPNs? (Choose TWO.)

Question 64hardmulti select
Read the full VPN explanation →

Which TWO configuration changes are required to enable IPsec site-to-site VPN with IKEv2 and pre-shared keys on a Cisco IOS router? (Choose TWO.)

Question 65hardmulti select
Read the full VPN explanation →

Which TWO statements about IPsec transform sets and security associations (SAs) are true? (Choose TWO.)

Question 66hardmulti select
Read the full VPN explanation →

Which TWO statements about IPsec site-to-site VPN troubleshooting using 'show crypto session' and 'show crypto ipsec sa' are correct? (Choose TWO.)

Question 67hardmulti select
Read the full VPN explanation →

Which TWO actions will prevent an IPsec site-to-site VPN tunnel from coming up when using IKEv2 and pre-shared keys? (Choose TWO.)

Question 68hardmultiple choice
Review the full OSPF breakdown →

An engineer configures a site-to-site IPsec VPN between two routers using OSPF as the routing protocol. The OSPF neighbor becomes stuck in EXSTART state. The engineer verifies that the IPsec tunnel is up and that both routers can ping each other's tunnel interfaces. What is the most likely cause of the OSPF adjacency issue?

Question 69hardmultiple choice
Study the full EIGRP explanation →

An engineer configures an IPsec site-to-site VPN between two routers running EIGRP. The EIGRP neighbor forms, but routes are not being exchanged. The engineer notices that the EIGRP neighbor is stuck in active state for certain routes. What is the most likely explanation?

Question 70hardmultiple choice
Open the full BGP breakdown →

An engineer configures an IPsec site-to-site VPN between two routers using iBGP for routing. The BGP session comes up, but routes learned from the remote site are not installed in the routing table. The engineer verifies that the IPsec tunnel is up and that the BGP prefixes are present in the BGP table. What is the most likely explanation?

Question 71hardmultiple choice
Review the full OSPF breakdown →

An engineer configures mutual redistribution between OSPF and EIGRP on a router that is part of an IPsec site-to-site VPN. After the configuration, routing loops occur intermittently. The engineer has not used any route tagging. What is the most likely cause of the routing loops?

Question 72hardmultiple choice
Read the full VPN explanation →

An engineer configures a DMVPN Phase 2 network with IPsec protection. Spoke-to-spoke tunnels form, but traffic between spokes is not being forwarded directly; it still goes through the hub. The engineer verifies that NHRP registrations are successful and that the spoke-to-spoke IPsec sessions are established. What is the most likely explanation?

Question 73hardmultiple choice
Read the full VPN explanation →

An engineer configures an IPsec site-to-site VPN using IKEv1 with aggressive mode. The VPN tunnel establishes, but after some time, the tunnel goes down and re-establishes repeatedly. The engineer notices that the ISAKMP SA lifetime is set to 86400 seconds on one router and 3600 seconds on the other. What is the most likely explanation for the instability?

Question 74hardmultiple choice
Study the full ACL explanation →

An engineer configures Control Plane Policing (CoPP) on a router that terminates multiple IPsec site-to-site VPN tunnels. After applying the CoPP policy, some IPsec tunnels fail to establish, while others work fine. The engineer verifies that the CoPP policy permits IKE (UDP 500) and ESP (protocol 50) traffic. What is the most likely cause of the failure?

Question 75hardmultiple choice
Read the full VPN explanation →

An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on the outside interface of a router that terminates an IPsec site-to-site VPN. After the configuration, the VPN tunnel establishes, but traffic from the remote site is not forwarded correctly. The engineer verifies that the IPsec tunnel is up and that the routing table has the correct routes. What is the most likely explanation?

Question 76hardmultiple choice
Review the full OSPF breakdown →

An engineer configures an IPsec site-to-site VPN between two routers using OSPF as the routing protocol. The OSPF neighbor forms, but routes are not being exchanged. The engineer verifies that the IPsec tunnel is up and that OSPF packets are being encrypted. The OSPF network type on the tunnel interface is set to broadcast. What is the most likely explanation for the missing routes?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

300-410 Practice Test 1 — 10 Questions→300-410 Practice Test 2 — 10 Questions→300-410 Practice Test 3 — 10 Questions→300-410 Practice Test 4 — 10 Questions→300-410 Practice Test 5 — 10 Questions→300-410 Practice Exam 1 — 20 Questions→300-410 Practice Exam 2 — 20 Questions→300-410 Practice Exam 3 — 20 Questions→300-410 Practice Exam 4 — 20 Questions→Free 300-410 Practice Test 1 — 30 Questions→Free 300-410 Practice Test 2 — 30 Questions→Free 300-410 Practice Test 3 — 30 Questions→300-410 Practice Questions 1 — 50 Questions→300-410 Practice Questions 2 — 50 Questions→300-410 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Layer 3 TechnologiesEIGRP TroubleshootingOSPF Troubleshooting (v2/v3)BGP TroubleshootingRoute RedistributionPolicy-Based Routing (PBR)VRF-LiteRoute Maps and Route FilteringAdministrative DistanceRoute SummarizationBidirectional Forwarding Detection (BFD)VPN TechnologiesMPLS OperationsMPLS L3VPNDMVPNIPsec Site-to-Site VPNIPv6 Tunneling TechniquesInfrastructure SecurityDevice Access ControlIPv4 Access Control ListsIPv6 Traffic Filtering and uRPFControl Plane Policing (CoPP)IPv6 First Hop SecurityInfrastructure ServicesDevice ManagementSNMP TroubleshootingNetwork Logging and SyslogEmbedded Event Manager (EEM)IP SLANetFlow and Flexible NetFlowSPAN, RSPAN, and ERSPANDHCP (IPv4 and IPv6)NAT and PAT

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All IPsec Site-to-Site VPN setsAll IPsec Site-to-Site VPN questions300-410 Practice Hub