Examine this configuration on router R1: crypto isakmp policy 10 encryption aes 256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key cisco123 address 192.168.1.2 ! crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.2 set transform-set TSET match address 101 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 crypto map CMAP ! access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 What is missing from this configuration to ensure the tunnel works correctly?
All necessary components: ISAKMP policy, key, transform set, crypto map with peer and ACL, and interface application.
Why this answer
The configuration is complete for a site-to-site IPsec VPN. ISAKMP policy 10 specifies AES-256 encryption, pre-shared key authentication, Diffie-Hellman group 14, and a lifetime of 86400 seconds (the default is 86400, so explicitly setting it is fine). The crypto map CMAP binds the transform set TSET (AES-256, SHA-HMAC) to peer 192.168.1.2 and matches interesting traffic via access-list 101 (10.1.1.0/24 to 10.2.2.0/24).
The interface GigabitEthernet0/1 applies the crypto map. A route to the remote LAN is not required because IPsec encrypts traffic based on the crypto ACL; routing only needs to reach the peer's public IP (192.168.1.2), which is directly connected on the same subnet.
Exam trap
Cisco often tests the misconception that a route to the remote LAN is required for IPsec to work, but in reality, the crypto ACL handles traffic selection, and only a route to the peer's public IP is needed.
How to eliminate wrong answers
Option B is wrong because a route to the remote LAN 10.2.2.0/24 is not required for IPsec; the crypto ACL defines which traffic is encrypted, and the router only needs a route to the peer's public IP (192.168.1.2), which is directly connected. Option C is wrong because the ISAKMP policy already includes a 'lifetime' value of 86400 seconds, which is valid and matches the default; no lifetime is missing. Option D is wrong because the transform set uses 'mode tunnel' (the default for site-to-site VPNs), which is correct; 'mode transport' is used for host-to-host or GRE-over-IPsec, not for site-to-site.