Free Preparation Discussions
MENU
Cisco 300-540 Exam - Topic 1 Question 3 Discussion
Topic #: 1
Refer to the exhibit.
Refer to the exhibit. An engineer must configure an IPsec VPN connection between site 1 and site 2. The indicated configuration was applied to router R1; however, the tunnel fails to come up. Which command must be run on R1 to resolve the issue?
For a site-to-site IPsec VPN, each peer must point to the reachable IP address of the remote VPN endpoint---that is, the IP address on the WAN/Internet-facing interface of the remote router.
From the diagram:
R1 outside (toward Internet): 192.168.10.1
R2 outside (toward Internet): 192.168.20.2
Inside LANs:
Site 1: 10.1.0.0/24
Site 2: 10.2.0.0/24
The crypto map on R1 uses:
crypto map mymap 10 ipsec-isakmp
set transform-set myset
match address 101
set peer <REMOTE_PEER_IP>
The <REMOTE_PEER_IP> must be the IP address where R1 can actually reach the IPsec peer, which is R2's Internet-facing interface 192.168.20.2.
If the peer were configured with a LAN IP such as 10.2.0.1 (site 2's internal gateway), IKE packets would never reach the remote router because that address is not routable over the Internet.
Therefore, the correct command to bring up the VPN is:
set peer 192.168.20.2
Option A (10.1.0.1) -- local LAN IP (R1's side), not the remote endpoint.
Option C (192.168.10.1) -- R1's own WAN IP, not the remote peer.
Option D (10.2.0.1) -- remote LAN IP, not reachable directly over the Internet.
Kenneth
4 hours agoMattie
5 days agoPhil
10 days agoLigia
1 month agoBecky
1 month agoPauline
1 month agoDarrin
2 months agoJosefa
2 months agoLeota
2 months agoDick
2 months agoFrederic
2 months agoHillary
2 months agoFiliberto
3 months agoJin
3 months agoIdella
3 months agoLajuana
3 months agoLetha
3 months ago