nerdexam
Exams300-730Questions#94
Cisco

300-730 · Question #94

300-730 Question #94: Real Exam Question with Answer & Explanation

The correct answer is C: Add the aaa authorization group peer list Flex_AAA_Auth command to the IKEv2 profile configuration.. A FlexVPN hub requires AAA group authorization configured in the IKEv2 profile to push group policies to spoke peers during tunnel negotiation.

Question

Refer to the exhibit. The VPN tunnel between the FlexVPN spoke and FlexVPN hub 192.168.0.12 is failing. What should be done to correct this issue?

Options

  • AAdd the address 192.168.0.12 255.255.255.255 command to the keyring configuration.
  • BAdd the match ikev2 any command to the IKEv2 policy.
  • CAdd the aaa authorization group peer list Flex_AAA_Auth command to the IKEv2 profile configuration.
  • DAdd the tunnel mode gre ip command to the tunnel configuration.

Explanation

A FlexVPN hub requires AAA group authorization configured in the IKEv2 profile to push group policies to spoke peers during tunnel negotiation.

Common mistakes.

  • A. The keyring address command identifies remote peers for authentication matching, but its absence would produce an authentication failure rather than the group authorization failure that prevents spoke policy assignment.
  • B. The 'match ikev2 any' command broadens IKEv2 proposal acceptance in the policy but does not resolve the missing AAA group authorization command needed for spoke configuration delivery.
  • D. FlexVPN tunnels default to 'tunnel mode ipsec ipv4'; adding 'tunnel mode gre ip' would change the encapsulation type and is unrelated to the IKEv2 group authorization failure.

Concept tested. FlexVPN IKEv2 profile AAA group authorization

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-16/sec-flex-vpn-xe-16-book/sec-cfg-flexvpn.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-730 Practice