300-410 · topic practice

IPsec Site-to-Site VPN practice questions

Practise Cisco CCNP ENARSI 300-410 IPsec Site-to-Site VPN practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: IPsec Site-to-Site VPN

What the exam tests

What to know about IPsec Site-to-Site VPN

IPsec Site-to-Site VPN questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common IPsec Site-to-Site VPN exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

IPsec Site-to-Site VPN questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN between two routers. The tunnel interface is up/up, but traffic from the local LAN to the remote LAN is not passing. The engineer checks the crypto map and sees it is applied to the outside interface. What is the most likely cause of the traffic failure?

Question 2mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is not coming up. The engineer runs 'show crypto isakmp sa' and sees no active IKE SAs. The peer IP address is correctly configured. What should the engineer check first?

Question 3hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN between two Cisco routers. The tunnel is up, but traffic intermittently drops. The engineer notices that the 'show crypto ipsec sa' output shows the packet counters incrementing for both encrypt and decrypt, but the 'pkts encaps failed' counter is also increasing. What is the most likely cause?

Question 4hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up but traffic from the remote LAN to the local LAN is not working. The engineer pings from the remote router to the local LAN IP and it succeeds. However, pings from a host on the remote LAN to a host on the local LAN fail. What is the most likely cause?

Question 5mediummultiple choice
Study the full EIGRP explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN that uses a GRE tunnel over IPsec. The GRE tunnel is up/up, but the routing protocol (EIGRP) running over the GRE tunnel is not forming an adjacency. The engineer checks the tunnel configuration and sees that the tunnel source and destination are correct. What is the most likely cause?

Question 6hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up, but the engineer notices that the 'show crypto ipsec sa' output shows that the number of packets encrypted is much higher than the number of packets decrypted on the remote side. What is the most likely cause?

Question 7mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN that stopped working after a recent configuration change. The engineer runs 'show crypto isakmp sa' and sees an active IKE SA, but 'show crypto ipsec sa' shows no IPsec SAs. What is the most likely cause?

Question 8hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up and traffic is flowing, but the engineer notices that the 'show crypto ipsec sa' output shows the 'pkts encaps failed' counter incrementing slowly over time. The tunnel remains up. What is the most likely cause?

Question 9mediummultiple choice
Study the full EIGRP explanation →

A network engineer is troubleshooting an IPsec site-to-site VPN that uses a GRE tunnel. The GRE tunnel is up/up, and EIGRP is forming an adjacency over it. However, traffic from the local LAN to the remote LAN is not working. The engineer pings the remote LAN IP from the local router and it succeeds. What is the most likely cause?

Question 10mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp sa

dst src state conn-id slot status

10.1.1.2        10.1.1.1        MM_NO_STATE       1    0    ACTIVE

Based on this output, what is the problem?

Question 11mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto ipsec sa
interface: Tunnel0
    Crypto map tag: VPN-MAP, local addr 10.1.1.1

protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #send errors 0, #recv errors 0

Based on this output, what is the problem?

Question 12easymultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp sa

dst src state conn-id slot status

10.1.1.2        10.1.1.1        QM_IDLE           1    0    ACTIVE

Based on this output, which statement is correct?

Question 13mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto ipsec sa peer 10.1.1.2
interface: Tunnel0
    Crypto map tag: VPN-MAP, local addr 10.1.1.1

protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #send errors 0, #recv errors 0

Based on this output, what is the problem?

Question 14easymultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp policy

Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit

Protection suite of priority 20 encryption algorithm: AES - Advanced Encryption Standard (128 bit keys). hash algorithm: Secure Hash Standard 2 (SHA256) authentication method: Pre-Shared Key Diffie-Hellman group: #14 (2048 bit) lifetime: 86400 seconds, no volume limit

Based on this output, which statement is correct?

Question 15easymultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto ipsec transform-set

Transform set ESP-AES256-SHA: { esp-256-aes esp-sha256-hmac } will negotiate = { Tunnel, },

Transform set ESP-AES128-SHA: { esp-aes esp-sha256-hmac } will negotiate = { Tunnel, },

Based on this output, which statement is correct?

Question 16mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto map
Crypto Map "VPN-MAP" 10 ipsec-isakmp

Peer = 10.1.1.2 Extended IP access list 100

access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

Current peer: 10.1.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ESP-AES256-SHA,}

Interfaces using crypto map VPN-MAP:

Tunnel0

Based on this output, which statement is correct?

Question 17mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto ipsec sa | include pkts

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Based on this output, what is the problem?

Question 18mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp sa detail

Codes: C - IKEv1, I - IKEv2

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap 1 10.1.1.1 10.1.1.2 ACTIVE aes sha psk 14 23:59:59

Based on this output, which statement is correct?

Question 19mediummultiple choice
Read the full VPN explanation →

Given the following partial configuration on router R1:

crypto isakmp policy 10

encryption aes 256 authentication pre-share group 14 lifetime 86400 !

crypto isakmp key cisco123 address 192.168.1.2

!

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.2 set transform-set TSET match address 101 !

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 crypto map CMAP

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

What is the effect of this configuration?

Question 20mediummultiple choice
Read the full VPN explanation →

Consider the following configuration on router R2:

crypto isakmp policy 10

encryption aes 256 authentication pre-share group 14 lifetime 3600 !

crypto isakmp key secretkey address 192.168.1.1

!

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac

mode tunnel !

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.1 set transform-set TSET match address 101 !

interface GigabitEthernet0/1
 ip address 192.168.1.2 255.255.255.0
 crypto map CMAP

!

access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Which statement is true?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused IPsec Site-to-Site VPN sessions

Start a IPsec Site-to-Site VPN only practice session

Every question in these sessions is drawn from the IPsec Site-to-Site VPN domain — nothing else.

Related practice questions

Related 300-410 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 300-410 exam test about IPsec Site-to-Site VPN?
IPsec Site-to-Site VPN questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just IPsec Site-to-Site VPN questions in a focused session?
Yes — the session launcher on this page draws every question from the IPsec Site-to-Site VPN domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 300-410 topics?
Use the topic links above to move to related areas, or go back to the 300-410 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 300-410 exam covers. They are not copied from any real exam or dump site.