350-401 · topic practice

VPN Technologies practice questions

Practise ENCOR 350-401 VPN Technologies practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: VPN Technologies

What the exam tests

What to know about VPN Technologies

VPN Technologies questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common VPN Technologies exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

VPN Technologies questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full VPN explanation →

A network engineer is configuring a site-to-site IPsec VPN between two Cisco routers. The engineer wants to ensure that the VPN tunnel uses the strongest possible encryption and authentication algorithms. The engineer configures the following: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. On the remote router, the engineer configures: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. The tunnel fails to establish. What is the most likely cause?

Question 2hardmultiple choice
Read the full VPN explanation →

A network engineer is tasked with deploying a DMVPN Phase 2 network for a company with multiple branch offices. The hub router is a Cisco 4451-X and the spoke routers are Cisco 4331s. After configuration, the spokes can ping the hub's tunnel IP, but cannot reach each other's tunnel IPs. The engineer checks the routing tables and sees that the hub has routes for both spoke subnets, but the spokes do not have routes to each other. What is the most likely cause?

Question 3mediummultiple choice
Read the full VPN explanation →

An engineer is configuring a FlexVPN hub-and-spoke network. The hub router has a loopback0 with IP 10.0.0.1/32. The spokes are configured to use IKEv2 with certificates. The engineer notices that the spokes can establish the IKEv2 tunnel and can ping the hub's tunnel IP, but cannot reach the loopback0 address. The hub has a static route for the spoke subnets. What is the most likely issue?

Question 4hardmultiple choice
Read the full VPN explanation →

A network engineer is configuring a GETVPN solution for a large enterprise with many remote sites. The engineer wants to ensure that all traffic between sites is encrypted using a common group key. The key server (KS) is a Cisco ASR 1000. After configuration, the group members (GMs) can register with the KS, but traffic between GMs is not encrypted. The engineer checks the KS configuration and sees that the crypto gdoi group has been defined with a transform set and a security association. What is the most likely missing configuration?

Question 5easymultiple choice
Read the full VPN explanation →

An engineer is troubleshooting a site-to-site VPN between a Cisco ASA and a Cisco IOS router. The VPN is configured using IKEv1 with pre-shared keys. The tunnel establishes and traffic flows, but after a few hours, the tunnel drops and re-establishes. The engineer checks the logs and sees that the Phase 1 SA is being rekeyed. What is the most likely reason for the tunnel dropping?

Question 6mediummultiple choice
Read the full VPN explanation →

A network engineer is configuring a remote access VPN using Cisco AnyConnect on an ASA. The engineer wants to use certificate-based authentication. The ASA is configured with a CA server. After configuration, users can connect, but they are prompted for a username and password instead of using certificates. The engineer checks the ASA configuration and sees that the tunnel group has authentication method set to AAA. What should the engineer do to fix this?

Question 7hardmultiple choice
Read the full VPN explanation →

An engineer is configuring a site-to-site VPN between two Cisco routers using IPsec with IKEv2. The engineer wants to use a pre-shared key. The configuration on both routers includes: crypto ikev2 proposal default, encryption aes-cbc-256, integrity sha256, group 14. The engineer also configures crypto ikev2 keyring and crypto ikev2 profile. The tunnel does not establish. The engineer sees that the IKEv2 SA is not created. What is the most likely missing configuration?

Question 8hardmultiple choice
Read the full VPN explanation →

A network engineer is configuring a DMVPN Phase 3 network. The hub router is a Cisco 4500X and the spokes are Cisco 4321s. The engineer wants to enable spoke-to-spoke direct communication. After configuration, the spokes can communicate via the hub, but not directly. The engineer checks the NHRP cache on a spoke and sees that it has a mapping for the other spoke's tunnel IP to the hub's physical IP. What is the most likely cause?

Question 9easymultiple choice
Read the full VPN explanation →

An engineer is configuring a site-to-site VPN between two Cisco routers using IPsec with IKEv1. The engineer configures a crypto map on the outside interface. The tunnel establishes, but only traffic from one direction is encrypted. For example, traffic from Router A to Router B is encrypted, but traffic from Router B to Router A is not. The engineer checks the crypto map on Router B and finds that it is not applied to the correct interface. What is the most likely issue?

Question 10mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R1:

R1# show crypto isakmp sa

dst src state conn-id slot

10.1.1.2        10.1.1.1        MM_NO_STATE       1       0

Based on this output, what can be concluded?

Question 11mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R2:

R2# show crypto ipsec sa peer 10.2.2.2
interface: Tunnel0
    Crypto map tag: CMAP, local addr 10.1.1.2

protected vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0) current_peer 10.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 1500, #pkts encrypt: 1500, #pkts digest: 1500 #pkts decaps: 1200, #pkts decrypt: 1200, #pkts verify: 1200 #pkts compressed: 0, #pkts decompress: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

Based on this output, what can be concluded?

Question 12hardmultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R3:

R3# show dmvpn

Legend: Attrb -> S: Static, D: Dynamic, I: Incomplete N: NATed, L: Local, X: No Socket

# Ent -> Number of NHRP entries with same NBMA peer

NHS Status: E => Expecting Replies, R => Responding, W => Waiting UpDn Time -> Up or Down Time for a Tunnel ==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Hub, NHRP Peers:2,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- ----- 1 192.168.1.1 10.0.0.1 UP 00:12:34 D 1 192.168.1.2 10.0.0.2 UP 00:10:20 D

Based on this output, what can be concluded?

Question 13mediummultiple choice
Read the full MPLS explanation →

A network engineer runs the following command on Router R4:

R4# show mpls ldp neighbor

Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.54567 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 00:15:30 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.0.0.2 Addresses bound to peer LDP Ident:

10.0.0.2        192.168.1.1

Based on this output, what can be concluded?

Question 14hardmultiple choice
Review the full OSPF breakdown →

A network engineer runs the following command on Router R5:

R5# show ip route vrf CUSTOMER-A

Routing Table: CUSTOMER-A Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.1.1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.1.1.0/24 is directly connected, GigabitEthernet0/0
B       10.2.2.0/24 [20/0] via 10.1.1.1, 00:10:20

Based on this output, what can be concluded?

Question 15hardmultiple choice
Open the full BGP breakdown →

A network engineer runs the following command on Router R6:

R6# show ip bgp vpnv4 all summary

BGP router identifier 10.0.0.6, local AS number 65000 BGP table version is 10, main routing table version 10 10 network entries using 1440 bytes of memory 10 path entries using 800 bytes of memory 4/3 BGP path/bestpath attribute entries using 576 bytes of memory 2 BGP AS-PATH entries using 48 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Bitfield cache entries: current 1 (at peak 2) using 32 bytes of memory BGP using 2896 total bytes of memory BGP activity 20/10 prefixes, 20/10 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.0.0.7        4        65001    1000    1000       10    0    0 00:20:00        5
10.0.0.8        4        65002     500     500       10    0    0 00:10:00        3

Based on this output, what can be concluded?

Question 16mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R7:

R7# show crypto ikev2 sa detail

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, Child count:1

Tunnel-id Local Remote Status Role 1 10.1.1.1/4500 10.2.2.2/4500 READY INITIATOR Encr: AES-CBC 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/3600 sec

Child SA: Local selector 10.1.1.0/0 - 10.1.1.255/65535 Remote selector 10.2.2.0/0 - 10.2.2.255/65535 ESP spi in/out: 0x12345678/0x87654321

Based on this output, what can be concluded?

Question 17mediummultiple choice
Read the full VPN explanation →

A network engineer runs the following command on Router R8:

R8# show ip nhrp

10.0.0.1/32 via 10.0.0.1

Tunnel0 created 00:10:00, expire 01:50:00 Type: dynamic, Flags: unique registered NBMA address: 192.168.1.1

10.0.0.2/32 via 10.0.0.2

Tunnel0 created 00:05:00, expire 01:55:00 Type: dynamic, Flags: unique registered NBMA address: 192.168.1.2

Based on this output, what can be concluded?

Question 18hardmultiple choice
Open the full BGP breakdown →

A network engineer runs the following command on Router R9:

R9# show ip interface tunnel 0

Tunnel0 is up, line protocol is up Internet address is 10.0.0.9/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1400 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is disabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent

IP fast switching is enabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP Null turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled

TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled

Based on this output, what can be concluded?

Question 19mediummultiple choice
Read the full VPN explanation →

Given the following configuration on a Cisco IOS-XE router:

interface Tunnel100
 ip address 10.0.0.1 255.255.255.252

tunnel source GigabitEthernet0/0/0 tunnel destination 192.168.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile MYPROFILE

What is the effect of this configuration?

Question 20mediummultiple choice
Read the full VPN explanation →

Examine the following IPsec configuration snippet:

crypto ikev2 proposal IKEV2_PROP

encryption aes-cbc-256 integrity sha256 group 14 !

crypto ikev2 policy IKEV2_POL

proposal IKEV2_PROP !

crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac

mode tunnel !

crypto ipsec profile IPSEC_PROF

set transform-set TSET set ikev2-profile IKEV2_POL

Which statement about this configuration is true?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused VPN Technologies sessions

Start a VPN Technologies only practice session

Every question in these sessions is drawn from the VPN Technologies domain — nothing else.

Related practice questions

Related 350-401 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-401 exam test about VPN Technologies?
VPN Technologies questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just VPN Technologies questions in a focused session?
Yes — the session launcher on this page draws every question from the VPN Technologies domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-401 topics?
Use the topic links above to move to related areas, or go back to the 350-401 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-401 exam covers. They are not copied from any real exam or dump site.