CCNA: Cisco Certified Network Associate — Question 517

When a site-to-site VPN is configured which IPsec mode provides encapsulation and encryption of the entire original IP packet?

Answer options

• A. IPsec transport mode with AH
• B. IPsec tunnel mode with AH
• C. IPsec transport mode with ESP
• D. IPsec tunnel mode with ESP

Correct answer: D

Explanation

IPsec tunnel mode with ESP (option D) encapsulates and encrypts the entire original IP packet, making it suitable for site-to-site VPNs. The other options either use transport mode, which only encrypts the payload, or employ the Authentication Header (AH), which does not provide encryption.