nerdexam
Exams350-401Questions#357
CiscoCisco

350-401 · Question #357

350-401 Question #357: Real Exam Question with Answer & Explanation

The correct answer is B: Create an IPsec profile, associate the transform-set, and apply the profile to the tunnel interface.. IPsec Profile over GRE Tunnel Explanation When migrating from a traditional crypto map to an IPsec profile, the process requires two key steps: removing the existing crypto map infrastructure (option D) since crypto maps and IPsec profiles cannot coexist on the same interface, an

Submitted by minji_kr· Mar 6, 2026Security

Question

Refer to the exhibit. A network engineer must simplify the IPsec configuration by enabling IPsec over GRE using IPsec profiles. Which two configuration changes accomplish this? (Choose two)

Options

  • AApply the crypto map to the tunnel interface and change the tunnel mode to tunnel mode ipsec ipv4.
  • BCreate an IPsec profile, associate the transform-set, and apply the profile to the tunnel interface.
  • CRemove the crypto map and modify the ACL to allow traffic between 10.10.0.0/24 to 10.20.0.0/24.
  • DRemove all configuration related to crypto map from R1 and R2 and eliminate the ACL.
  • ECreate an IPsec profile, associate the transform-set ACL, and apply the profile to the tunnel interface.

Explanation

IPsec Profile over GRE Tunnel Explanation

When migrating from a traditional crypto map to an IPsec profile, the process requires two key steps: removing the existing crypto map infrastructure (option D) since crypto maps and IPsec profiles cannot coexist on the same interface, and creating an IPsec profile tied to the transform-set and applying it directly to the tunnel interface (option B). This simplification works because GRE already encapsulates traffic, so IPsec profiles don't need an ACL to define "interesting traffic" - the tunnel interface itself acts as the traffic selector.

Why the distractors are wrong:

  • A is incorrect because applying a crypto map to a tunnel interface is not how IPsec profiles work; profiles replace crypto maps on tunnel interfaces
  • C is incorrect because modifying the ACL is unnecessary - IPsec profiles eliminate the need for ACLs entirely since GRE handles encapsulation
  • E is incorrect because IPsec profiles do not use ACLs; that's the whole point of the simplification - the transform-set alone is associated with the profile

🧠 Memory Tip

Think "Profile = No ACL, No Crypto Map" - when you switch to IPsec profiles on GRE tunnels, you remove the crypto map and its ACL, and the profile simply wraps the transform-set directly onto the tunnel interface. Less config = more elegant!

Topics

#IPsec#GRE Tunnels#IPsec Profiles#VPN Configuration

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 350-401 PracticeBrowse All 350-401 Questions