Practice VPN Technologies Questions Now

Start a timed practice session focusing on VPN Technologies topics from the ENARSI question bank.

ENARSI VPN Technologies Question Bank (21 Questions)

Browse all 21 practice questions covering VPN Technologies for the ENARSI certification exam. Each question includes the full answer and a detailed explanation to help you understand the concepts.

Question 1VPN Technologies
What protocol does Cisco FlexVPN use for key exchange and tunnel establishment?
AIKEv1
BIKEv2✓
CSSL/TLS
DSSH
Show Answer & Explanation
Correct Answer: B
Explanation:
FlexVPN is Cisco's next-generation VPN framework built on IKEv2 (RFC 7296). IKEv2 provides faster negotiation (fewer message exchanges), built-in NAT traversal, EAP authentication support, and MOBIKE for seamless failover.
Question 2VPN Technologies
What is the benefit of GRE over IPsec compared to plain IPsec tunnel mode?
AGRE provides stronger encryption
BGRE supports multicast and routing protocols (OSPF, EIGRP) which plain IPsec tunnel mode does not✓
CGRE eliminates the need for encryption
DGRE reduces bandwidth overhead
Show Answer & Explanation
Correct Answer: B
Explanation:
Plain IPsec tunnel mode only supports unicast traffic. GRE encapsulation before IPsec enables multicast, broadcast, and non-IP protocols to traverse the VPN, allowing dynamic routing protocols (OSPF, EIGRP, BGP) to run over the tunnel.
Question 3VPN Technologies
What advantage does a VTI (Virtual Tunnel Interface) IPsec VPN have over crypto map-based VPN?
AStronger encryption
BVTI creates a routable interface, enabling routing protocols to run over the tunnel and simplifying configuration✓
CVTI is faster
DVTI doesn't require IKE
Show Answer & Explanation
Correct Answer: B
Explanation:
A VTI (tunnel interface with tunnel protection ipsec profile) creates a routable tunnel interface. This allows routing protocols, QoS, multicast, and per-tunnel features. Crypto maps are policy-based and don't create a true interface.
Question 4VPN Technologies
What does a crypto map define in an IPsec VPN configuration?
AOnly the encryption algorithm
BThe complete IPsec policy: interesting traffic (ACL), peer address, transform set, and IPsec SA parameters✓
COnly the remote peer's IP
DOnly the pre-shared key
Show Answer & Explanation
Correct Answer: B
Explanation:
A crypto map ties together all IPsec VPN components: match address (ACL defining interesting traffic), set peer (remote VPN endpoint), set transform-set (encryption/auth algorithms), and optional parameters like PFS and SA lifetime.
Question 5VPN Technologies
What are the three key technologies that make up DMVPN (Dynamic Multipoint VPN)?
AOSPF, BGP, and EIGRP
BmGRE (multipoint GRE), NHRP (Next Hop Resolution Protocol), and IPsec✓
CNAT, DHCP, and DNS
DVXLAN, EVPN, and BGP
Show Answer & Explanation
Correct Answer: B
Explanation:
DMVPN combines: mGRE (multipoint GRE tunnels from a single interface), NHRP (dynamically resolves tunnel endpoints' real addresses), and IPsec (encrypts tunnel traffic). Together they create a scalable hub-and-spoke or spoke-to-spoke VPN.
Question 6VPN Technologies
What capability does DMVPN Phase 3 provide that Phase 2 does not?
AHub-to-spoke tunnels
BNHRP redirect and shortcut messages for optimized spoke-to-spoke communication with summarized routing✓
CIPsec encryption
DGRE encapsulation
Show Answer & Explanation
Correct Answer: B
Explanation:
DMVPN Phase 3 uses NHRP redirect (hub tells spoke to go direct) and NHRP shortcut (spoke creates direct tunnel). This allows route summarization at the hub while still enabling optimal spoke-to-spoke paths, unlike Phase 2 which requires specific routes.
Question 7VPN Technologies
How many message exchanges does IKEv2 require to establish an IPsec SA compared to IKEv1?
AIKEv2 requires more exchanges
BIKEv2 uses 4 messages (2 exchanges) vs IKEv1's 9+ messages (3 exchanges in main mode + quick mode)✓
CThey require the same number
DIKEv2 requires only 1 message
Show Answer & Explanation
Correct Answer: B
Explanation:
IKEv2 establishes a complete IPsec SA in just 4 messages (IKE_SA_INIT + IKE_AUTH exchanges). IKEv1 main mode uses 6 messages for Phase 1 plus 3 for Phase 2 Quick Mode. IKEv2 is faster and includes built-in NAT-T and EAP support.
Question 8VPN Technologies
What happens when a DMVPN spoke wants to communicate directly with another spoke in Phase 2/3?
ATraffic always goes through the hub
BThe spoke sends an NHRP resolution request to discover the other spoke's public IP and creates a direct tunnel✓
CThe spoke creates a new hub tunnel
DTraffic is dropped
Show Answer & Explanation
Correct Answer: B
Explanation:
In DMVPN Phase 2/3, when a spoke needs to reach another spoke, it sends an NHRP resolution request (via the hub or directly). Once the spoke learns the target's NBMA (public) address, it creates a direct spoke-to-spoke tunnel.
Question 9VPN Technologies
Which protocol does DMVPN use to dynamically resolve tunnel endpoint addresses between spoke routers?
AGRE
BIPsec
CNHRP (Next Hop Resolution Protocol)✓
DBGP
Show Answer & Explanation
Correct Answer: C
Explanation:
NHRP allows DMVPN spoke routers to dynamically discover the real IP addresses of other spokes through the hub, enabling direct spoke-to-spoke tunnels without static configuration.
Question 10VPN Technologies
What is the purpose of the tunnel protection command in a GRE over IPsec configuration?
AEnable QoS on the tunnel
BApply an IPsec profile to encrypt GRE tunnel traffic✓
CSet the tunnel MTU
DEnable keepalives on the tunnel
Show Answer & Explanation
Correct Answer: B
Explanation:
'tunnel protection ipsec profile <name>' applies IPsec encryption to GRE tunnel traffic, creating a GRE over IPsec VPN that combines GRE's multicast/multiprotocol support with IPsec security.
Question 11VPN Technologies
Which DMVPN phase allows spoke-to-spoke tunnels to be established directly without routing through the hub?
APhase 1
BPhase 2
CPhase 3✓
DAll phases
Show Answer & Explanation
Correct Answer: C
Explanation:
DMVPN Phase 3 uses NHRP redirect and shortcut switching to establish direct spoke-to-spoke tunnels. Phase 1 uses hub-and-spoke only, Phase 2 allows spoke-to-spoke but with routing limitations.
Question 12VPN Technologies
What is the difference between GRE and IPsec tunnels?
ANo difference
BGRE provides encapsulation without encryption; IPsec provides encryption. They're often combined for encrypted multicast/routing protocol support✓
CGRE is encrypted; IPsec is not
DGRE is faster
Show Answer & Explanation
Correct Answer: B
Explanation:
GRE encapsulates any protocol in IP but doesn't encrypt. IPsec encrypts but only supports unicast. GRE over IPsec combines both: GRE carries multicast/routing, IPsec encrypts the GRE tunnel.
Question 13VPN Technologies
What is the difference between IPsec tunnel mode and transport mode?
ATunnel mode is faster
BTunnel mode encapsulates the entire original IP packet with a new IP header; transport mode only encrypts the payload, keeping the original IP header✓
CTransport mode is more secure
DThere is no difference
Show Answer & Explanation
Correct Answer: B
Explanation:
Tunnel mode adds a new outer IP header and encrypts/authenticates the entire original packet — used for site-to-site VPNs. Transport mode encrypts only the payload, preserving the original IP header — used for host-to-host or with GRE.
Question 14Infrastructure Services
What do GRE tunnel keepalives verify?
AEncryption key validity
BEnd-to-end tunnel reachability — both the tunnel interface and the remote endpoint are operational✓
CBandwidth capacity
DDNS resolution
Show Answer & Explanation
Correct Answer: B
Explanation:
GRE keepalives send periodic packets through the tunnel to verify end-to-end connectivity. If keepalives are not returned (the remote end is down or unreachable), the tunnel interface is brought down, triggering routing convergence.
Question 15VPN Technologies
What is FlexVPN?
AA legacy VPN
BCisco's IKEv2-based VPN framework unifying site-to-site, remote access, and spoke-to-spoke VPN deployments with a single, flexible configuration model✓
CA free VPN service
DA wireless VPN
Show Answer & Explanation
Correct Answer: B
Explanation:
FlexVPN uses IKEv2 exclusively: supports hub-spoke, spoke-to-spoke (NHRP), remote access, and EAP authentication. Replaces legacy DMVPN/EzVPN with unified config using IKEv2 profiles, keyring, and authorization.
Question 16VPN Technologies
In MPLS VPN, which routing protocol is typically used between PE (Provider Edge) and CE (Customer Edge) routers?
ALDP
BRSVP
CeBGP, OSPF, EIGRP, or static routes✓
DIS-IS only
Show Answer & Explanation
Correct Answer: C
Explanation:
PE-CE routing can use eBGP, OSPF, EIGRP, RIPv2, or static routes to exchange customer routes. The choice depends on customer requirements and provider policy.
Question 17VPN Technologies
In an IPsec VPN, which protocol provides data confidentiality through encryption?
AAH (Authentication Header)
BESP (Encapsulating Security Payload)✓
CIKE (Internet Key Exchange)
DGRE
Show Answer & Explanation
Correct Answer: B
Explanation:
ESP provides both encryption (confidentiality) and authentication for IPsec VPN traffic. AH provides authentication only without encryption. IKE negotiates the security association.
Question 18VPN Technologies
Which IKE version is recommended for modern IPsec VPN deployments due to improved security and efficiency?
AIKEv1 Main Mode
BIKEv1 Aggressive Mode
CIKEv2✓
DManual keying
Show Answer & Explanation
Correct Answer: C
Explanation:
IKEv2 is recommended over IKEv1 for better security, fewer message exchanges (4 vs 6-9), built-in NAT-T support, and improved reliability with keep-alive mechanisms.
Question 19VPN Technologies
What is DMVPN (Dynamic Multipoint VPN)?
AA static VPN configuration
BA scalable VPN architecture using mGRE and NHRP that allows spoke-to-spoke tunnels to form dynamically✓
CA firewall feature
DA routing protocol
Show Answer & Explanation
Correct Answer: B
Explanation:
DMVPN combines mGRE, NHRP, and IPsec to create a scalable hub-and-spoke VPN where spoke-to-spoke tunnels form dynamically on demand without static configuration.
Question 20VPN Technologies
What is the role of NHRP in DMVPN?
ARoute filtering
BResolution protocol that maps tunnel (VPN) addresses to physical (NBMA) addresses, enabling dynamic spoke-to-spoke tunnels✓
CEncryption negotiation
DAuthentication
Show Answer & Explanation
Correct Answer: B
Explanation:
NHRP (Next Hop Resolution Protocol) resolves tunnel IP addresses to underlying physical addresses (NBMA), enabling spokes to discover each other's real IP for direct tunnel establishment.
Question 21VPN Technologies
What is the difference between DMVPN Phase 1, 2, and 3?
ANo difference
BPhase 1: spoke-to-hub only. Phase 2: spoke-to-spoke tunnels via NHRP. Phase 3: spoke-to-spoke with NHRP shortcuts and summarization support.✓
CPhase 3 is oldest
DPhase 1 is most advanced
Show Answer & Explanation
Correct Answer: B
Explanation:
Phase 1: all traffic via hub (hub-and-spoke). Phase 2: NHRP enables direct spoke-to-spoke tunnels, but no route summarization. Phase 3: NHRP redirect/shortcuts enable spoke-to-spoke WITH route summarization at hub.

Key VPN Technologies Concepts for ENARSI

mplsdmvpnflexvpngreipsecvpnikev2crypto maptunnel

ENARSI VPN Technologies Exam Tips

VPN Technologies questions in ENARSI are typically scenario-based. Focus on service-level decision making aligned to official exam objectives. Priority concepts: mpls, dmvpn, flexvpn, gre, ipsec, vpn.

What ENARSI Expects

Anchor your answer in select the most practical, secure, and scalable answer for the stated scenario.
VPN Technologies scenarios for ENARSI are frequently mapped to Domain 2 (20%), so read the objective carefully before picking controls or architecture.
Expect multi-service scenarios where VPN Technologies interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated service question.
When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Professional) and managed-service best practices.

High-Value VPN Technologies Concepts

Know the core VPN Technologies building blocks cold: mpls, dmvpn, flexvpn, gre.
Review the edge-case features and limits for ipsec, vpn; these details are commonly used to differentiate answer choices.
Practice service-integration reasoning: how VPN Technologies pairs with Layer 3 Technologies, Infrastructure Security in real deployment patterns.
For ENARSI, explain why the chosen VPN Technologies design meets reliability, security, and cost expectations better than the alternatives.

Common ENARSI Traps

Watch for answers that partially solve the requirement but miss operational constraints.
Questions in VPN Technologies often include distractors that look correct for VPN Technologies but violate least-privilege, durability, or availability requirements.
Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

Can you compare at least two VPN Technologies implementation paths and justify which one best fits the scenario?
Can you map the chosen answer back to VPN Technologies (20%) outcomes for ENARSI?
Can you explain security and access boundaries for VPN Technologies without relying on default-open assumptions?
Can you describe how VPN Technologies integrates with Layer 3 Technologies and Infrastructure Security during failure, scaling, and monitoring events?

Exam Domains Covering VPN Technologies

Domain 2VPN Technologies20%

Related Resources

🎯 Free ENARSI Mock Exam 📝 Layer 3 Technologies Questions 📝 Infrastructure Security Questions

More ENARSI Study Resources

← ENARSI Study Hub 30-Day Study Plan Full Practice Exam

🔒 VPN Technologies - ENARSI Practice Questions