350-401 · Question #357
Refer to the exhibit. A network engineer must simplify the IPsec configuration by enabling IPsec over GRE using IPsec profiles. Which two configuration changes accomplish this? (Choose two)
The correct answer is B. Create an IPsec profile, associate the transform-set, and apply the profile to the tunnel interface. D. Remove all configuration related to crypto map from R1 and R2 and eliminate the ACL.. IPsec Profile over GRE Tunnel Explanation When migrating from a traditional crypto map to an IPsec profile, the process requires two key steps: removing the existing crypto map infrastructure (option D) since crypto maps and IPsec profiles cannot coexist on the same interface, an
Question
Refer to the exhibit. A network engineer must simplify the IPsec configuration by enabling IPsec over GRE using IPsec profiles. Which two configuration changes accomplish this? (Choose two)
Exhibits
Options
- AApply the crypto map to the tunnel interface and change the tunnel mode to tunnel mode ipsec ipv4.
- BCreate an IPsec profile, associate the transform-set, and apply the profile to the tunnel interface.
- CRemove the crypto map and modify the ACL to allow traffic between 10.10.0.0/24 to 10.20.0.0/24.
- DRemove all configuration related to crypto map from R1 and R2 and eliminate the ACL.
- ECreate an IPsec profile, associate the transform-set ACL, and apply the profile to the tunnel interface.
How the community answered
(45 responses)- A4% (2)
- B82% (37)
- C2% (1)
- E11% (5)
Explanation
IPsec Profile over GRE Tunnel Explanation
When migrating from a traditional crypto map to an IPsec profile, the process requires two key steps: removing the existing crypto map infrastructure (option D) since crypto maps and IPsec profiles cannot coexist on the same interface, and creating an IPsec profile tied to the transform-set and applying it directly to the tunnel interface (option B). This simplification works because GRE already encapsulates traffic, so IPsec profiles don't need an ACL to define "interesting traffic" - the tunnel interface itself acts as the traffic selector.
Why the distractors are wrong:
- A is incorrect because applying a crypto map to a tunnel interface is not how IPsec profiles work; profiles replace crypto maps on tunnel interfaces
- C is incorrect because modifying the ACL is unnecessary - IPsec profiles eliminate the need for ACLs entirely since GRE handles encapsulation
- E is incorrect because IPsec profiles do not use ACLs; that's the whole point of the simplification - the transform-set alone is associated with the profile
Memory Tip
Think "Profile = No ACL, No Crypto Map" - when you switch to IPsec profiles on GRE tunnels, you remove the crypto map and its ACL, and the profile simply wraps the transform-set directly onto the tunnel interface. Less config = more elegant!
Topics
Community Discussion
No community discussion yet for this question.

