Implementing Secure Solutions with Virtual Private Networks (SVPN) — Question 80

A network administrator is troubleshooting a FlexVPN tunnel. The hub router is unable to ping the spoke router's tunnel interface IP address of 192.168.1.2, even though the tunnel is showing up. The output of the debug ip packet CLI command on the hub router shows the following entry.

IP: tableid=0123456789 s=192.168.1.1 (local), d=192.168.1.2 (loopback2), routed via FIB.

What must be configured to fix this issue?

Answer options

• A. A matching IKEv2 pre-shared key on the hub and spoke routers in the crypto keyring configuration.
• B. An outbound ACL on the dynamic VTI of the hub router that allows ICMP traffic to 192.168.1.2.
• C. An IKEv2 authorization policy must be configured on the spoke router to advertise the interface route.
• D. A route map must be configured on hub router to set the next hop for 192.168.1.2 to the dynamic VTI.

Correct answer: D

Explanation

The correct answer is D because a route map is necessary to specify the next hop for the spoke router's tunnel interface IP. Options A and C relate to authentication and authorization, which would not resolve the routing issue, while option B could allow ICMP but does not address the fundamental routing requirement to reach 192.168.1.2.