nerdexam
Cisco

350-401 · Question #357

Refer to the exhibit. A network engineer must simplify the IPsec configuration by enabling IPsec over GRE using IPsec profiles. Which two configuration changes accomplish this? (Choose two)

The correct answer is B. Create an IPsec profile, associate the transform-set, and apply the profile to the tunnel interface. D. Remove all configuration related to crypto map from R1 and R2 and eliminate the ACL.. IPsec Profile over GRE Tunnel Explanation When migrating from a traditional crypto map to an IPsec profile, the process requires two key steps: removing the existing crypto map infrastructure (option D) since crypto maps and IPsec profiles cannot coexist on the same interface, an

Submitted by minji_kr· Mar 6, 2026Security

Question

Refer to the exhibit. A network engineer must simplify the IPsec configuration by enabling IPsec over GRE using IPsec profiles. Which two configuration changes accomplish this? (Choose two)

Exhibits

350-401 question #357 exhibit 1
350-401 question #357 exhibit 2

Options

  • AApply the crypto map to the tunnel interface and change the tunnel mode to tunnel mode ipsec ipv4.
  • BCreate an IPsec profile, associate the transform-set, and apply the profile to the tunnel interface.
  • CRemove the crypto map and modify the ACL to allow traffic between 10.10.0.0/24 to 10.20.0.0/24.
  • DRemove all configuration related to crypto map from R1 and R2 and eliminate the ACL.
  • ECreate an IPsec profile, associate the transform-set ACL, and apply the profile to the tunnel interface.

How the community answered

(45 responses)
  • A
    4% (2)
  • B
    82% (37)
  • C
    2% (1)
  • E
    11% (5)

Explanation

IPsec Profile over GRE Tunnel Explanation

When migrating from a traditional crypto map to an IPsec profile, the process requires two key steps: removing the existing crypto map infrastructure (option D) since crypto maps and IPsec profiles cannot coexist on the same interface, and creating an IPsec profile tied to the transform-set and applying it directly to the tunnel interface (option B). This simplification works because GRE already encapsulates traffic, so IPsec profiles don't need an ACL to define "interesting traffic" - the tunnel interface itself acts as the traffic selector.

Why the distractors are wrong:

  • A is incorrect because applying a crypto map to a tunnel interface is not how IPsec profiles work; profiles replace crypto maps on tunnel interfaces
  • C is incorrect because modifying the ACL is unnecessary - IPsec profiles eliminate the need for ACLs entirely since GRE handles encapsulation
  • E is incorrect because IPsec profiles do not use ACLs; that's the whole point of the simplification - the transform-set alone is associated with the profile

Memory Tip

Think "Profile = No ACL, No Crypto Map" - when you switch to IPsec profiles on GRE tunnels, you remove the crypto map and its ACL, and the profile simply wraps the transform-set directly onto the tunnel interface. Less config = more elegant!

Topics

#IPsec#GRE Tunnels#IPsec Profiles#VPN Configuration

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice