CCNA VPN Technologies Questions

58 questions · VPN Technologies · All types, answers revealed

1
Drag & Dropmedium

Drag and drop the steps of IKEv2 fragmentation and DPD keepalive process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IKEv2 fragmentation occurs when the IKE packet exceeds the MTU. The sender fragments the packet, marks it with a fragment number, and sends all fragments. The receiver reassembles them.

DPD keepalives are sent periodically to verify the peer is still reachable; if no response is received, the peer is declared dead.

2
MCQmedium

An engineer is configuring a FlexVPN hub-and-spoke network. The hub router has a loopback0 with IP 10.0.0.1/32. The spokes are configured to use IKEv2 with certificates. The engineer notices that the spokes can establish the IKEv2 tunnel and can ping the hub's tunnel IP, but cannot reach the loopback0 address. The hub has a static route for the spoke subnets. What is the most likely issue?

A.The IKEv2 proposal does not match between hub and spoke.
B.The certificate authority is not trusted by the hub.
C.The tunnel interface is not in an up/up state.
D.The loopback0 is not advertised in the routing protocol.
AnswerD

Correct because without a route, the spokes cannot reach the loopback.

Why this answer

In FlexVPN, the tunnel IP addresses are typically used for routing, and the loopback may not be advertised into the routing protocol or may not be reachable via the tunnel interface. If the hub's loopback is not included in the routing updates (e.g., via a network statement in EIGRP or OSPF), the spokes will not have a route to it. Option D is correct because the loopback is not being advertised.

Option A is incorrect because IKEv2 is working. Option B is incorrect because certificates are not the issue. Option C is incorrect because the tunnel itself is up.

3
MCQmedium

Examine this configuration for a site-to-site VPN on a Cisco router: crypto isakmp policy 10 encryption aes 256 hash sha256 authentication pre-share group 14 lifetime 86400 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.1 set transform-set TSET match address 101 ! interface GigabitEthernet0/0/0 ip address 10.0.0.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 Which statement about this configuration is true?

A.The crypto map uses IKEv2 for key exchange because the transform set uses SHA-256.
B.The access-list 101 defines the traffic that will be encrypted; traffic from 192.168.10.0/24 to 192.168.20.0/24 will be protected.
C.The ISAKMP policy lifetime of 86400 seconds is too long and will cause the tunnel to fail.
D.The crypto map should be applied to the tunnel interface, not the physical interface.
AnswerB

The 'match address 101' in the crypto map references ACL 101, which permits the specified source and destination networks. Only matching traffic triggers IPsec encryption.

Why this answer

This is a classic crypto map-based site-to-site IPsec VPN. The ISAKMP policy defines phase 1 parameters, the transform set defines phase 2, and the crypto map binds them together with the peer and interesting traffic ACL. The ACL 101 specifies traffic from 192.168.10.0/24 to 192.168.20.0/24 to be encrypted.

4
Drag & Dropmedium

Drag and drop the steps of FlexVPN spoke-to-spoke dynamic tunnel creation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In FlexVPN, when a spoke needs to reach another spoke, it first sends an IKEv2 request to the hub. The hub redirects the spoke to the destination spoke's public address. The requesting spoke then initiates a direct IKEv2 SA with the destination spoke, and after authentication, they establish an IPsec SA for data transfer.

5
MCQmedium

Consider the following DMVPN configuration on a hub router: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 100 tunnel source GigabitEthernet0/0/0 tunnel mode gre multipoint What is the effect of the command 'ip nhrp map multicast dynamic'?

A.It statically maps the hub's own NBMA address to the multicast group.
B.It enables the hub to dynamically add spoke NBMA addresses to the multicast NHRP map for forwarding multicast traffic to all spokes.
C.It configures the hub to send NHRP registration requests to the multicast address 224.0.0.1.
D.It disables multicast forwarding over the tunnel interface.
AnswerB

This is the correct function: the hub learns spoke addresses dynamically and uses them for multicast replication.

Why this answer

The 'ip nhrp map multicast dynamic' command allows the hub to dynamically learn the NBMA addresses of spoke routers when they register via NHRP, and then automatically add those addresses to the multicast list for forwarding multicast traffic (such as routing protocol hellos) to all spokes.

6
MCQhard

A network engineer runs the following command on Router R6: R6# show ip bgp vpnv4 all summary BGP router identifier 10.0.0.6, local AS number 65000 BGP table version is 10, main routing table version 10 10 network entries using 1440 bytes of memory 10 path entries using 800 bytes of memory 4/3 BGP path/bestpath attribute entries using 576 bytes of memory 2 BGP AS-PATH entries using 48 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Bitfield cache entries: current 1 (at peak 2) using 32 bytes of memory BGP using 2896 total bytes of memory BGP activity 20/10 prefixes, 20/10 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.0.0.7 4 65001 1000 1000 10 0 0 00:20:00 5 10.0.0.8 4 65002 500 500 10 0 0 00:10:00 3 Based on this output, what can be concluded?

A.Both BGP sessions are in the Idle state.
B.The router is receiving VPNv4 prefixes from both neighbors.
C.The BGP table has no entries because the table version is 10.
D.The neighbor 10.0.0.8 is not configured for VPNv4.
AnswerB

The State/PfxRcd shows 5 and 3 prefixes received, confirming VPNv4 route exchange.

Why this answer

The BGP summary shows two VPNv4 neighbors: 10.0.0.7 (AS 65001) and 10.0.0.8 (AS 65002). The State/PfxRcd column shows 5 and 3 prefixes received respectively, meaning both peers are exchanging VPN routes. The local AS is 65000, making these EBGP sessions.

7
MCQhard

A network engineer runs the following command on Router R5: R5# show ip route vrf CUSTOMER-A Routing Table: CUSTOMER-A Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.1.1.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 B 10.2.2.0/24 [20/0] via 10.1.1.1, 00:10:20 Based on this output, what can be concluded?

A.The VRF has no routes and is not functional.
B.The route 10.2.2.0/24 is learned via OSPF.
C.The VRF has a default route pointing to 10.1.1.1.
D.The BGP route is sourced from an internal BGP peer.
AnswerC

The gateway of last resort is 10.1.1.1, meaning a default route exists via that next hop.

Why this answer

The VRF CUSTOMER-A has a BGP route (10.2.2.0/24) learned from 10.1.1.1 with administrative distance 20 (EBGP). The gateway of last resort is set to 10.1.1.1, indicating a default route via that next hop.

8
MCQmedium

A network engineer runs the following command on Router R4: R4# show mpls ldp neighbor Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.54567 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 00:15:30 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.0.0.2 Addresses bound to peer LDP Ident: 10.0.0.2 192.168.1.1 Based on this output, what can be concluded?

A.The LDP session is down due to a TCP connection issue.
B.The LDP session is established over the GigabitEthernet0/0 interface.
C.The peer is not sending any LDP messages.
D.The local router has only one label binding for the peer.
AnswerB

The discovery source shows GigabitEthernet0/0, confirming the session is via that interface.

Why this answer

The LDP session is operational (State: Oper) with a peer at 10.0.0.2. The discovery source is GigabitEthernet0/0, indicating the session is established over that interface. The peer has two addresses bound.

9
Drag & Dropmedium

Drag and drop the steps of IKEv2 fragmentation and DPD keepalive process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

During IKEv2, if the IKE packet exceeds the MTU, the sender fragments it into smaller pieces. The receiver reassembles the fragments into the original packet. After the IKE SA is established, the peers send Dead Peer Detection (DPD) keepalives to verify connectivity.

If no response is received, the peer retransmits the DPD. After multiple failures, the peer declares the SA dead and deletes it.

10
Multi-Selectmedium

Which two statements about IPsec IKEv2 are true? (Choose two.)

Select 2 answers
A.IKEv2 uses UDP port 500 for initial negotiation and can switch to UDP 4500 for NAT traversal.
B.IKEv2 supports EAP authentication for remote access VPNs.
C.IKEv2 uses TCP port 500 for control plane messages.
D.IKEv2 requires a separate IPsec SA for each direction of traffic.
E.IKEv2 is not compatible with certificate-based authentication.
AnswersA, B

Correct because IKEv2 uses UDP 500 and 4500 for NAT-T.

Why this answer

IKEv2 uses UDP port 500 and 4500, supports EAP authentication, and is more robust than IKEv1. It does not use TCP, and it supports multiple simultaneous SAs.

11
MCQmedium

Given this configuration on a Cisco IOS-XE router: crypto ikev2 keyring KEYRING peer SPOKE1 address 192.168.2.1 pre-shared-key cisco123 ! crypto ikev2 profile IKEV2_PROF match identity remote address 192.168.2.1 255.255.255.255 authentication remote pre-share authentication local pre-share keyring KEYRING ! What is missing from this configuration for a successful IKEv2 tunnel to the peer at 192.168.2.1?

A.The configuration is complete; no additional commands are needed.
B.The profile is missing the 'set transform-set' command to specify the IPsec transform set.
C.The IKEv2 proposal and policy are not defined and must be referenced by the profile or the IPsec profile.
D.The keyring must use a different name to match the profile.
AnswerC

IKEv2 requires a proposal (encryption, integrity, DH group) and a policy to associate the proposal with the profile. Without these, the IKEv2 negotiation will fail.

Why this answer

The configuration includes an IKEv2 keyring with a pre-shared key and an IKEv2 profile that matches the peer identity and specifies pre-shared key authentication. However, the IKEv2 proposal and policy are not referenced. The profile must be associated with an IKEv2 policy that defines encryption, integrity, and DH group parameters.

Without a proposal/policy, IKEv2 cannot negotiate the security parameters.

12
Multi-Selectmedium

Which two statements about DMVPN Phase 2 are true? (Choose two.)

Select 2 answers
A.Spokes can establish direct tunnels to each other without traversing the hub.
B.All traffic must pass through the hub router at all times.
C.NHRP is used to resolve the public IP addresses of spokes.
D.Phase 2 uses only point-to-point GRE tunnels on the hub.
E.Phase 2 does not support dynamic routing protocols between spokes.
AnswersA, C

Correct because Phase 2 enables spoke-to-spoke dynamic tunnels.

Why this answer

DMVPN Phase 2 allows spoke-to-spoke tunnels after initial hub registration, uses mGRE on spokes, and supports dynamic routing between spokes. NHRP is used for resolution.

13
Drag & Dropmedium

Drag and drop the steps of GET VPN key server registration and rekey into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In GET VPN, the group member first registers with the key server using ISAKMP. The key server authenticates the member and pushes the initial policy and key. After registration, the key server periodically sends rekey messages to update the group encryption key.

The group member acknowledges the rekey, and then both sides install the new key for ongoing encryption.

14
Drag & Dropmedium

Drag and drop the steps of SSL VPN (AnyConnect) session establishment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

AnyConnect session establishment begins with the client establishing a TLS tunnel to the ASA headend. The ASA presents its digital certificate for authentication. The client then authenticates the user, and the ASA assigns an IP address from a pool.

Finally, the client installs the virtual adapter and the session is established.

15
MCQeasy

An engineer is troubleshooting a site-to-site VPN between a Cisco ASA and a Cisco IOS router. The VPN is configured using IKEv1 with pre-shared keys. The tunnel establishes and traffic flows, but after a few hours, the tunnel drops and re-establishes. The engineer checks the logs and sees that the Phase 1 SA is being rekeyed. What is the most likely reason for the tunnel dropping?

A.The Dead Peer Detection (DPD) interval is too short.
B.The IKE Phase 1 lifetime is set too low.
C.The IPsec transform set is misconfigured.
D.The Phase 2 lifetime is longer than Phase 1.
AnswerB

Correct because a short lifetime causes frequent rekeys, which can lead to drops if not synchronized.

Why this answer

IKE Phase 1 SAs have a lifetime; when the lifetime expires, the SA is rekeyed. If the rekey fails or is delayed, the tunnel may drop temporarily. Option B is correct because the lifetime expiration is the most common cause.

Option A is incorrect because DPD is used to detect dead peers, not cause drops. Option C is incorrect because rekeying is normal. Option D is incorrect because the Phase 2 lifetime is separate.

16
Drag & Dropmedium

Drag and drop the steps of IKEv2 IPsec tunnel establishment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IKEv2 uses a two-phase process: Phase 1 (IKE_SA_INIT) establishes a secure channel, then Phase 2 (IKE_AUTH and CREATE_CHILD_SA) authenticates peers and creates IPsec SAs. The order is: 1. IKE_SA_INIT exchange, 2.

IKE_AUTH exchange, 3. CREATE_CHILD_SA exchange, 4. IPsec SA installation, 5.

Data encryption/decryption.

17
Drag & Dropmedium

Drag and drop the steps of DMVPN Phase 2 NHRP resolution process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DMVPN Phase 2, the spoke sends an NHRP Resolution Request to the hub to learn the public address of the destination spoke. The hub forwards this request to the destination spoke, which replies with an NHRP Resolution Reply containing its public address. The hub forwards the reply back to the requesting spoke, and then the two spokes establish a direct tunnel.

18
Multi-Selecthard

Which two statements about DMVPN phase 2 are true? (Choose two.)

Select 2 answers
A.In DMVPN phase 2, spoke routers can establish direct tunnels to each other without traffic passing through the hub.
B.DMVPN phase 2 requires mGRE on the hub only; spokes use point-to-point GRE tunnels.
C.NHRP redirect messages are used in phase 2 to inform spokes of better paths to remote destinations.
D.DMVPN phase 2 supports only IPsec protection and cannot operate without encryption.
E.In DMVPN phase 2, spoke routers must be configured with static crypto maps for IPsec.
AnswersA, C

Correct because phase 2 enables spoke-to-spoke dynamic tunnels after the hub provides the peer's NBMA address via NHRP.

Why this answer

DMVPN phase 2 allows spoke-to-spoke tunnels after initial hub registration, using NHRP to resolve destination addresses and enabling direct traffic flows.

19
Drag & Dropmedium

Drag and drop the steps of SSL VPN (AnyConnect) session establishment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The AnyConnect client first establishes a TLS/DTLS tunnel to the ASA headend. The ASA then authenticates the user via AAA. After authentication, the ASA pushes client configuration and assigns an IP address from a pool.

The client installs the virtual adapter with the assigned IP. Finally, the client can send encrypted traffic through the tunnel.

20
Multi-Selecthard

Which three statements about MPLS Layer 3 VPNs are true? (Choose three.)

Select 3 answers
A.Customer edge (CE) routers exchange routing information with provider edge (PE) routers using static routing, RIP, OSPF, EIGRP, or BGP.
B.VRF (Virtual Routing and Forwarding) instances are used on PE routers to maintain separate routing tables for each VPN customer.
C.MP-BGP (Multiprotocol BGP) is used between PE routers to exchange VPNv4 routes, which include an RD and RT.
D.The MPLS core routers (P routers) maintain full VPN routing tables to forward traffic based on customer IP prefixes.
E.Route targets (RT) are used to uniquely identify each customer VPN across the provider network.
AnswersA, B, C

Correct because PE-CE routing can use any of these protocols, as supported by the provider's configuration.

Why this answer

MPLS L3VPNs use VRFs for isolation, MP-BGP for route exchange, and MPLS labels for forwarding, with the provider core unaware of customer routes.

21
Matchingmedium

Drag and drop each IPsec mode on the left to its matching header usage on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

New IP header + ESP header + encrypted original packet

Original IP header + ESP trailer + encrypted payload

New IP header + AH header + original packet

Original IP header + AH header + payload

Encrypts entire original IP packet

Why these pairings

Tunnel mode encrypts original IP header and adds new IP header; transport mode only encrypts payload and leaves original IP header intact.

22
MCQmedium

Examine the following IPsec configuration snippet: crypto ikev2 proposal IKEV2_PROP encryption aes-cbc-256 integrity sha256 group 14 ! crypto ikev2 policy IKEV2_POL proposal IKEV2_PROP ! crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile IPSEC_PROF set transform-set TSET set ikev2-profile IKEV2_POL Which statement about this configuration is true?

A.The transform set uses ESP with AES-256 encryption and SHA-256 HMAC for authentication.
B.The IKEv2 proposal uses AES-256, SHA-256, and DH group 14, but the IPsec profile will not apply because the ikev2-profile command is missing the 'set' keyword.
C.The transform set is configured in transport mode, which is incorrect for site-to-site VPN.
D.The IPsec profile is incomplete because it does not include a PFS (Perfect Forward Secrecy) setting.
AnswerA

The transform set command 'esp-aes 256 esp-sha256-hmac' specifies ESP with AES-256 encryption and SHA-256 HMAC for integrity/authentication.

Why this answer

The configuration defines an IKEv2 proposal with AES-256 encryption, SHA-256 integrity, and Diffie-Hellman group 14. The IPsec transform set uses AES-256 and SHA-256. The IPsec profile references both the transform set and the IKEv2 profile.

However, the IKEv2 policy is not directly used in the profile; the profile uses the IKEv2 profile, not the policy. The correct statement is that the transform set uses ESP with AES-256 encryption and SHA-256 HMAC.

23
Matchingmedium

Drag and drop each security protocol on the left to its matching provided security service on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Confidentiality and data integrity

Data integrity and authentication without encryption

Data integrity only

Confidentiality and data integrity with authentication

Sequence number verification

Why these pairings

ESP provides confidentiality, data integrity, and optional anti-replay; AH provides data integrity and authentication but no encryption; ESP with null encryption provides integrity only; combined ESP+AH provides both confidentiality and integrity; anti-replay is a service provided by both ESP and AH.

24
MCQmedium

A network engineer runs the following command on Router R2: R2# show crypto ipsec sa peer 10.2.2.2 interface: Tunnel0 Crypto map tag: CMAP, local addr 10.1.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0) current_peer 10.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 1500, #pkts encrypt: 1500, #pkts digest: 1500 #pkts decaps: 1200, #pkts decrypt: 1200, #pkts verify: 1200 #pkts compressed: 0, #pkts decompress: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 Based on this output, what can be concluded?

A.The IPsec tunnel is functioning correctly with no issues.
B.There is a routing problem causing packets to be dropped in one direction.
C.The tunnel is using compression, as shown by the compress counters.
D.The remote peer is not responding to IKE requests.
AnswerB

The difference between encaps and decaps counts indicates that some packets sent are not being received, likely due to routing or firewall issues.

Why this answer

The packet counters show 1500 packets encapsulated (sent) but only 1200 decapsulated (received). This asymmetry indicates possible packet loss or a routing issue in one direction.

25
MCQmedium

Consider the following configuration for a FlexVPN spoke router: interface Tunnel0 ip address 10.0.0.2 255.255.255.0 tunnel source GigabitEthernet0/0/0 tunnel mode gre ip tunnel protection ipsec profile FLEXPROF ip nhrp network-id 100 ip nhrp nhs 10.0.0.1 ip nhrp map 10.0.0.1 192.168.1.1 What is the purpose of the 'ip nhrp map 10.0.0.1 192.168.1.1' command?

A.It maps the spoke's tunnel IP to its own physical interface IP for local routing.
B.It provides a static mapping from the hub's tunnel IP (10.0.0.1) to the hub's physical IP (192.168.1.1) so the spoke can reach the hub.
C.It enables multicast mapping for dynamic spoke discovery.
D.It configures the spoke to register with the hub using the specified physical address.
AnswerB

This static NHRP mapping tells the spoke how to reach the hub's tunnel interface via the hub's physical NBMA address.

Why this answer

In FlexVPN (or DMVPN), the 'ip nhrp map' command statically maps a tunnel IP address (10.0.0.1) to a physical NBMA address (192.168.1.1). This is used by the spoke to know the hub's physical address for NHRP registration and communication.

26
MCQhard

A network engineer is tasked with deploying a DMVPN Phase 2 network for a company with multiple branch offices. The hub router is a Cisco 4451-X and the spoke routers are Cisco 4331s. After configuration, the spokes can ping the hub's tunnel IP, but cannot reach each other's tunnel IPs. The engineer checks the routing tables and sees that the hub has routes for both spoke subnets, but the spokes do not have routes to each other. What is the most likely cause?

A.The NHRP network ID is mismatched between the hub and spokes.
B.The spokes are not configured with a crypto map for IPsec.
C.The hub is not configured to propagate spoke routes to other spokes.
D.The tunnel mode is set to GRE instead of mGRE on the spokes.
AnswerC

Correct because without route propagation, spokes cannot learn each other's networks.

Why this answer

In DMVPN Phase 2, spokes learn about other spoke networks via the hub using dynamic routing (e.g., EIGRP or OSPF). The hub must be configured to propagate spoke routes to other spokes. If the hub is not configured to redistribute or advertise the spoke subnets, the spokes will not have routes to each other.

Option C is correct because the hub must have a routing configuration that allows spoke-to-spoke route propagation. Option A is incorrect because NHRP is used for mapping, not routing. Option B is incorrect because spoke-to-spoke tunnels are established dynamically via NHRP.

Option D is incorrect because mGRE is the correct interface type for DMVPN.

27
MCQmedium

A network engineer is configuring a remote access VPN using Cisco AnyConnect on an ASA. The engineer wants to use certificate-based authentication. The ASA is configured with a CA server. After configuration, users can connect, but they are prompted for a username and password instead of using certificates. The engineer checks the ASA configuration and sees that the tunnel group has authentication method set to AAA. What should the engineer do to fix this?

A.Re-enroll the CA certificate on the ASA.
B.Change the connection profile to use the correct group.
C.Configure the group policy to require certificates.
D.Change the tunnel group authentication method to certificate.
AnswerD

Correct because the authentication method must be set to certificate.

Why this answer

For certificate-based authentication, the tunnel group must be configured to use certificate authentication. If it is set to AAA, the ASA will prompt for credentials. Option D is correct because the authentication method must be changed.

Option A is incorrect because the CA is already configured. Option B is incorrect because the connection profile is not the issue. Option C is incorrect because the group policy does not control authentication method.

28
Matchingmedium

Drag and drop each VPN type on the left to its matching tunnel technology on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

mGRE with NHRP

IKEv2 per-peer tunnel

GDOI group encryption

TLS/DTLS client VPN

Static virtual tunnel interface

Why these pairings

DMVPN uses mGRE with NHRP; FlexVPN uses IKEv2 with per-peer tunnels; GET VPN uses GDOI for group encryption; AnyConnect uses TLS/DTLS for client-based remote access.

29
Drag & Dropmedium

Drag and drop the steps of GET VPN key server registration and rekey into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In GET VPN, a group member (GM) first registers with the key server (KS) using ISAKMP. The KS authenticates the GM and then pushes the current policy and encryption keys (TEK and KEK) to the GM. The KS periodically sends a rekey message to all GMs to update the keys before they expire.

30
Drag & Dropmedium

Drag and drop the steps of DMVPN Phase 3 NHRP registration and spoke-to-spoke tunnel establishment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DMVPN Phase 3, the spoke first registers its NHRP mapping with the hub, then the hub propagates the mapping. When a spoke needs to reach another spoke, it sends an NHRP resolution request to the hub, the hub replies with the mapping, and then the spoke initiates a direct IPsec tunnel to the target spoke.

31
MCQeasy

An engineer is configuring a site-to-site VPN between two Cisco routers using IPsec with IKEv1. The engineer configures a crypto map on the outside interface. The tunnel establishes, but only traffic from one direction is encrypted. For example, traffic from Router A to Router B is encrypted, but traffic from Router B to Router A is not. The engineer checks the crypto map on Router B and finds that it is not applied to the correct interface. What is the most likely issue?

A.The crypto map is not applied to the outside interface on Router B.
B.The access list on Router B is missing the permit statement for the traffic.
C.The transform set on Router B is different from Router A.
D.The peer address on Router B is configured incorrectly.
AnswerA

Correct because the crypto map must be applied on both sides.

Why this answer

For IPsec to work bidirectionally, the crypto map must be applied to the outside interface on both routers. If it is missing on one side, that router will not encrypt outgoing traffic. Option A is correct because the crypto map is not applied on Router B.

Option B is incorrect because the access list is not the issue. Option C is incorrect because the transform set is used for encryption. Option D is incorrect because the peer is configured.

32
MCQmedium

A network engineer runs the following command on Router R1: R1# show crypto isakmp sa dst src state conn-id slot 10.1.1.2 10.1.1.1 MM_NO_STATE 1 0 Based on this output, what can be concluded?

A.The IPsec VPN tunnel is fully established and passing traffic.
B.IKE Phase 1 is in progress but not yet complete.
C.The ISAKMP SA has been deleted due to a timeout.
D.The remote peer has rejected the IKE proposal.
AnswerB

MM_NO_STATE is the initial state before Main Mode completes; it indicates negotiation is ongoing or stuck.

Why this answer

The MM_NO_STATE indicates that the IKE Phase 1 negotiation has not progressed past the initial state. This typically means that the remote peer is not responding or the ISAKMP policy does not match.

33
Matchingmedium

Drag and drop each security protocol on the left to its matching service on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encryption and authentication

Integrity and authentication only

Authentication without encryption

Both integrity and confidentiality

Encrypts TCP/UDP payload

Why these pairings

ESP provides confidentiality (encryption) and authentication; AH provides integrity and authentication but no encryption; ESP with NULL encryption provides authentication only.

34
Multi-Selectmedium

Which two statements about IPsec IKEv2 are true? (Choose two.)

Select 2 answers
A.IKEv2 uses UDP port 500 for initial negotiation and can switch to UDP port 4500 for NAT traversal.
B.IKEv2 requires a separate authentication phase for each security association established.
C.IKEv2 supports EAP authentication for remote access VPNs.
D.IKEv2 uses only pre-shared keys for authentication and does not support digital certificates.
E.IKEv2 is backward compatible with IKEv1 and can interoperate with older peers.
AnswersA, C

Correct because IKEv2 uses UDP 500 for standard exchanges and moves to UDP 4500 when NAT is detected, as per RFC 7296.

Why this answer

IKEv2 improves upon IKEv1 by using fewer messages for SA establishment and providing built-in NAT traversal and mobility support.

35
MCQmedium

A network engineer is configuring a site-to-site IPsec VPN between two Cisco routers. The engineer wants to ensure that the VPN tunnel uses the strongest possible encryption and authentication algorithms. The engineer configures the following: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. On the remote router, the engineer configures: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. The tunnel fails to establish. What is the most likely cause?

A.The lifetimes are set too high; they should be 3600 seconds.
B.The hash algorithm is not specified and defaults may differ between routers.
C.The Diffie-Hellman group 14 is not supported on these routers.
D.Pre-shared keys cannot be used with AES-256 encryption.
AnswerB

Correct because the default hash algorithm can vary, causing a mismatch.

Why this answer

The IKE policy parameters must match exactly on both peers. In this scenario, the policies appear identical, but a common oversight is that the hash algorithm (e.g., SHA-256) is not specified in the policy; the default is MD5 or SHA-1 depending on IOS version. If one router uses default SHA-1 and the other uses MD5, the mismatch will prevent Phase 1 from completing.

Option B is correct because the hash algorithm mismatch is a frequent cause of failure. Option A is incorrect because the lifetimes match. Option C is incorrect because group 14 is valid.

Option D is incorrect because pre-shared keys can be used with strong encryption.

36
Matchingmedium

Drag and drop each VPN type on the left to its matching tunnel technology on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

mGRE with NHRP

IKEv2-based VPN

GDOI group key management

TLS/DTLS for remote access

IKEv1 or IKEv2 with ESP

Why these pairings

DMVPN uses mGRE and NHRP; FlexVPN uses IKEv2; GET VPN uses GDOI; AnyConnect uses TLS/DTLS; Site-to-Site IPsec VPN uses IKEv1 or IKEv2 with ESP.

37
Matchingmedium

Drag and drop each DMVPN phase on the left to its matching NHRP operation type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hub-and-spoke with NHRP registration

Spoke-to-spoke dynamic tunnel via NHRP resolution request/reply

NHRP with prefix-based spoke-to-spoke shortcut

NHRP with BGP for routing

NHRP with OSPF for routing

Why these pairings

Phase 1 uses NHRP for hub registration only; Phase 2 uses NHRP for spoke-to-spoke shortcut; Phase 3 uses NHRP with prefix-based resolution; Phase 4 uses NHRP with BGP; Phase 5 uses NHRP with OSPF.

38
Matchingmedium

Drag and drop each IPsec mode on the left to its matching header usage on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

New IP header + ESP header + original IP packet + ESP trailer

Original IP header + ESP header + payload + ESP trailer

New IP header + AH header + original IP packet

Original IP header + AH header + payload

UDP encapsulation of ESP packet

Why these pairings

Tunnel mode encrypts original IP header and adds new IP header; transport mode encrypts only payload; ESP tunnel adds ESP header between new and original IP; AH transport authenticates payload and original header; AH tunnel authenticates entire new packet.

39
MCQmedium

Given the following configuration on a Cisco IOS-XE router: interface Tunnel100 ip address 10.0.0.1 255.255.255.252 tunnel source GigabitEthernet0/0/0 tunnel destination 192.168.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile MYPROFILE What is the effect of this configuration?

A.It creates a GRE tunnel with IPsec encryption.
B.It creates a VTI (Virtual Tunnel Interface) that encrypts all traffic routed into the tunnel using IPsec.
C.It creates a DMVPN phase 1 tunnel with mGRE.
D.It creates a L2TPv3 tunnel for layer 2 transport.
AnswerB

The tunnel mode ipsec ipv4 creates a static VTI, which encrypts any traffic sent to the tunnel interface using the referenced IPsec profile.

Why this answer

This configuration creates a point-to-point tunnel interface that uses IPsec to encrypt traffic between the local router and the remote peer at 192.168.1.1. The tunnel mode ipsec ipv4 enables IPsec encapsulation of IPv4 packets, and the tunnel protection command applies an IPsec profile for encryption.

40
Multi-Selectmedium

Which three statements about FlexVPN are true? (Choose three.)

Select 3 answers
A.FlexVPN uses IKEv2 as its underlying key exchange protocol.
B.FlexVPN supports both site-to-site and remote access VPN topologies.
C.FlexVPN requires a dedicated AAA server for all authentication functions.
D.FlexVPN can use digital certificates or pre-shared keys for authentication.
E.FlexVPN uses NHRP to dynamically discover spoke routers and establish direct tunnels.
AnswersA, B, D

Correct because FlexVPN is built on IKEv2, leveraging its features like EAP, mobility, and NAT traversal.

Why this answer

FlexVPN is a Cisco implementation based on IKEv2, supporting hub-and-spoke, spoke-to-spoke, and remote access VPNs with centralized key management.

41
MCQmedium

In a DMVPN phase 2 network, what is the primary advantage of using phase 2 over phase 1?

A.Phase 2 supports dynamic routing protocols over the tunnel, while phase 1 does not.
B.Phase 2 allows spoke-to-spoke direct tunnels, bypassing the hub for data traffic.
C.Phase 2 uses mGRE on both hub and spokes, while phase 1 uses p2p GRE on spokes.
D.Phase 2 supports IPsec encryption natively, while phase 1 requires additional configuration.
AnswerB

Phase 2 enables spoke-to-spoke tunnels using NHRP redirect and shortcut, so traffic between spokes goes directly.

Why this answer

DMVPN phase 2 allows spoke-to-spoke tunnels to be established dynamically without traffic having to traverse the hub. This reduces latency and hub load. Phase 1 only supports hub-and-spoke topology where all traffic goes through the hub.

42
MCQhard

A network engineer is configuring a DMVPN Phase 3 network. The hub router is a Cisco 4500X and the spokes are Cisco 4321s. The engineer wants to enable spoke-to-spoke direct communication. After configuration, the spokes can communicate via the hub, but not directly. The engineer checks the NHRP cache on a spoke and sees that it has a mapping for the other spoke's tunnel IP to the hub's physical IP. What is the most likely cause?

A.The NHRP network ID is mismatched between the spokes.
B.The routing protocol is not redistributing spoke routes.
C.The hub is not configured with NHRP redirect.
D.The spokes are using GRE instead of mGRE.
AnswerC

Correct because NHRP redirect is required for Phase 3 spoke-to-spoke shortcuts.

Why this answer

In DMVPN Phase 3, spokes must use NHRP redirect and shortcut routes to enable direct spoke-to-spoke communication. If the hub is not configured with the NHRP redirect feature, the spokes will not receive the redirect messages, and traffic will continue to go through the hub. Option C is correct because the hub must have NHRP redirect enabled.

Option A is incorrect because the spokes are registered. Option B is incorrect because the routing protocol is working. Option D is incorrect because the tunnel mode is correct.

43
MCQmedium

A network engineer runs the following command on Router R8: R8# show ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:10:00, expire 01:50:00 Type: dynamic, Flags: unique registered NBMA address: 192.168.1.1 10.0.0.2/32 via 10.0.0.2 Tunnel0 created 00:05:00, expire 01:55:00 Type: dynamic, Flags: unique registered NBMA address: 192.168.1.2 Based on this output, what can be concluded?

A.The router has static NHRP mappings configured.
B.The router is a DMVPN hub with two registered spokes.
C.The NHRP entries are about to expire because the expire time is less than 2 hours.
D.The router is a spoke because it has only two entries.
AnswerB

Dynamic entries with 'unique registered' flags indicate spoke registrations on a hub.

Why this answer

The NHRP cache shows two dynamic entries for 10.0.0.1 and 10.0.0.2 with NBMA addresses 192.168.1.1 and 192.168.1.2. Both are registered and unique, indicating a DMVPN spoke registration.

44
Drag & Dropmedium

Drag and drop the steps of FlexVPN spoke-to-spoke dynamic tunnel creation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In FlexVPN, a spoke sends an IKEv2 authentication request to the hub. The hub authenticates the spoke and sends back the IKEv2 configuration payload with the remote spoke's address. The originating spoke then initiates a direct IKEv2 session to the remote spoke.

Both spokes complete IKEv2 authentication and IPsec SA setup. Finally, traffic flows directly between the spokes without going through the hub.

45
Matchingmedium

Drag and drop each DMVPN phase on the left to its matching NHRP operation type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Spoke-to-hub only via NHRP registration

Spoke-to-spoke via NHRP redirect

Spoke-to-spoke via NHRP shortcut

Redirect from hub to trigger direct tunnel

Shortcut resolution by spoke

Why these pairings

Phase 1 uses spoke-to-hub only; Phase 2 allows spoke-to-spoke via NHRP redirect; Phase 3 uses NHRP shortcut to enable spoke-to-spoke directly.

46
MCQhard

A network engineer runs the following command on Router R3: R3# show dmvpn Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete N: NATed, L: Local, X: No Socket # Ent -> Number of NHRP entries with same NBMA peer NHS Status: E => Expecting Replies, R => Responding, W => Waiting UpDn Time -> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 192.168.1.1 10.0.0.1 UP 00:12:34 D 1 192.168.1.2 10.0.0.2 UP 00:10:20 D Based on this output, what can be concluded?

A.This router is a spoke in the DMVPN network.
B.There are two active spoke routers connected to this hub.
C.The tunnel interface is down because no peers are listed.
D.The router is using static NHRP mappings for all peers.
AnswerB

Two peers are listed with UP state, both dynamically registered, indicating two active spokes.

Why this answer

The output shows a DMVPN hub with two spoke peers (10.0.0.1 and 10.0.0.2) both in UP state. The 'D' attribute indicates they are dynamically learned, which is normal for spokes. The hub has two active NHRP peers.

47
MCQeasy

What is the default IKEv1 (ISAKMP) lifetime in seconds on Cisco IOS routers?

A.3600 seconds
B.86400 seconds
C.28800 seconds
D.7200 seconds
AnswerB

The default ISAKMP lifetime is 86400 seconds (24 hours).

Why this answer

The default IKEv1 lifetime is 86400 seconds (1 day). This can be changed with the 'lifetime' command under the ISAKMP policy.

48
MCQhard

A network engineer is configuring a GETVPN solution for a large enterprise with many remote sites. The engineer wants to ensure that all traffic between sites is encrypted using a common group key. The key server (KS) is a Cisco ASR 1000. After configuration, the group members (GMs) can register with the KS, but traffic between GMs is not encrypted. The engineer checks the KS configuration and sees that the crypto gdoi group has been defined with a transform set and a security association. What is the most likely missing configuration?

A.The KS is missing an access list to define the traffic to encrypt.
B.The group name on the GMs does not match the KS.
C.The KS is not configured with an IPsec profile.
D.The GMs are in different IP subnets than the KS.
AnswerA

Correct because the traffic selector is required for GETVPN policy.

Why this answer

In GETVPN, the KS must define a traffic selector (access list) that specifies which traffic to encrypt. Without a proper access list, the KS will not send the policy to the GMs, and traffic will pass in the clear. Option A is correct because the access list is missing.

Option B is incorrect because the group name is not the issue. Option C is incorrect because the KS does not need an IPsec profile. Option D is incorrect because GMs can be in different subnets.

49
Drag & Dropmedium

Drag and drop the steps of DMVPN Phase 2 NHRP resolution process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DMVPN Phase 2, the spoke sends an NHRP Resolution Request to the hub to learn the destination spoke's NBMA address. The hub forwards the request to the destination spoke, which replies with an NHRP Resolution Reply. The hub relays this reply back to the originating spoke.

Finally, the originating spoke installs the NHRP shortcut entry and can initiate a direct tunnel to the destination spoke.

50
Multi-Selecteasy

Which three statements about SSL VPNs are true? (Choose three.)

Select 3 answers
A.SSL VPNs use the TLS protocol to encrypt traffic between client and server.
B.SSL VPNs require a pre-shared key for authentication.
C.Clientless SSL VPN access allows users to access web applications using only a browser.
D.SSL VPNs can only operate over TCP port 443.
E.SSL VPNs support port forwarding for non-web applications.
AnswersA, C, E

Correct because SSL VPNs are based on TLS (formerly SSL).

Why this answer

SSL VPNs use TLS for encryption, can provide clientless access via web browser, and support port forwarding for legacy applications. They do not require IPsec and can use any port (typically 443).

51
Matchingmedium

Drag and drop each IKEv2 exchange on the left to its matching phase on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Phase 1 - establish IKE SA

Phase 2 - authenticate and establish first child SA

Phase 3 - create additional child SAs

Phase 4 - error notification and delete

Phase 5 - refresh keys

Why these pairings

IKE_SA_INIT is phase 1; IKE_AUTH is phase 2; CREATE_CHILD_SA is phase 3; INFORMATIONAL is for management; IKEv2 also uses a separate exchange for rekey.

52
MCQeasy

Which IPsec protocol provides both encryption and authentication within a single ESP header?

A.AH (Authentication Header)
B.ESP (Encapsulating Security Payload)
C.IKE (Internet Key Exchange)
D.GRE (Generic Routing Encapsulation)
AnswerB

ESP can provide both encryption and authentication (depending on the transform set).

Why this answer

ESP (Encapsulating Security Payload) provides both encryption (confidentiality) and authentication (integrity) in a single header. AH only provides authentication without encryption.

53
MCQhard

A network engineer runs the following command on Router R9: R9# show ip interface tunnel 0 Tunnel0 is up, line protocol is up Internet address is 10.0.0.9/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1400 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is disabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP CEF switching is enabled IP CEF switching turbo vector IP Null turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled Based on this output, what can be concluded?

A.The tunnel is down because the line protocol is up.
B.The MTU of 1400 bytes suggests this is a GRE or IPsec tunnel.
C.The tunnel is using IP compression because TCP/IP header compression is disabled.
D.The tunnel has a helper address configured for DHCP.
AnswerB

A reduced MTU is typical for tunnels that add encapsulation headers, such as GRE (24 bytes) or IPsec (up to 100 bytes).

Why this answer

The tunnel interface is up/up with an MTU of 1400 bytes. The MTU is reduced from the default 1500, which is typical for GRE/IPsec tunnels to accommodate encapsulation overhead. This indicates the tunnel is likely a GRE or IPsec tunnel.

54
Drag & Dropmedium

Drag and drop the steps of configuring a site-to-site IPsec VPN on Cisco IOS into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order for configuring a site-to-site IPsec VPN is: first define the IKE policy (Phase 1 parameters), then define the IPsec transform set (Phase 2 parameters), then create the crypto ACL to match interesting traffic, then configure the crypto map to bind all parameters, and finally apply the crypto map to the outgoing interface.

55
MCQmedium

A network engineer runs the following command on Router R7: R7# show crypto ikev2 sa detail IKEv2 SAs: Session-id:1, Status:UP-ACTIVE, IKE count:1, Child count:1 Tunnel-id Local Remote Status Role 1 10.1.1.1/4500 10.2.2.2/4500 READY INITIATOR Encr: AES-CBC 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/3600 sec Child SA: Local selector 10.1.1.0/0 - 10.1.1.255/65535 Remote selector 10.2.2.0/0 - 10.2.2.255/65535 ESP spi in/out: 0x12345678/0x87654321 Based on this output, what can be concluded?

A.The IKEv2 SA is in a failed state because it is READY.
B.The tunnel is using pre-shared keys for authentication.
C.The tunnel is using RSA signatures for authentication.
D.The IKEv2 SA has expired because the life time is 86400 seconds.
AnswerB

The output shows 'Auth sign: PSK' and 'Auth verify: PSK', confirming PSK authentication.

Why this answer

The IKEv2 SA is UP-ACTIVE with status READY. The encryption is AES-CBC 256, hash SHA256, DH Group 14, and authentication is PSK. The tunnel is working correctly.

56
Multi-Selecthard

Which three statements about MPLS Layer 3 VPNs are true? (Choose three.)

Select 3 answers
A.MP-BGP is used to exchange VPNv4 routes between PE routers.
B.Each customer site requires a separate VRF on the PE router.
C.The P router maintains a full routing table for all VPN customers.
D.A single MPLS label is used for both transport and VPN identification.
E.The PE router performs the routing between the CE device and the MPLS core.
AnswersA, B, E

Correct because MP-BGP carries VPNv4 prefixes with route distinguishers and route targets.

Why this answer

MPLS L3VPNs use MP-BGP to exchange VPNv4 routes, require a VRF per customer, and use two labels (IGP label for transport, VPN label for VRF lookup). The PE router performs the routing between CE and the MPLS core.

57
Matchingmedium

Drag and drop each IKEv2 exchange on the left to its matching phase on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Phase 1 key agreement

Phase 2 authentication and policy

Rekey or additional SA

Error and status exchange

Phase 1 response with DH public value

Why these pairings

IKE_SA_INIT is phase 1 for key agreement; IKE_AUTH is phase 2 for authentication and policy; CREATE_CHILD_SA is used for rekeying or additional SAs.

58
MCQhard

An engineer is configuring a site-to-site VPN between two Cisco routers using IPsec with IKEv2. The engineer wants to use a pre-shared key. The configuration on both routers includes: crypto ikev2 proposal default, encryption aes-cbc-256, integrity sha256, group 14. The engineer also configures crypto ikev2 keyring and crypto ikev2 profile. The tunnel does not establish. The engineer sees that the IKEv2 SA is not created. What is the most likely missing configuration?

A.The IKEv2 proposal is not configured correctly.
B.The IKEv2 profile is not attached to the crypto map or interface.
C.The IPsec transform set is missing.
D.The pre-shared key is not defined in the keyring.
AnswerB

Correct because the profile must be applied to activate the configuration.

Why this answer

In IKEv2, the crypto ikev2 profile must be applied to the interface or the crypto map. Without applying the profile, the router will not use the configured keyring and proposal. Option B is correct because the profile must be attached.

Option A is incorrect because the proposal is configured. Option C is incorrect because the transform set is for IPsec, not IKE. Option D is incorrect because the keyring is configured.

Ready to test yourself?

Try a timed practice session using only VPN Technologies questions.