A security architect must establish a permanent, encrypted site-to-site link between company headquarters and a remote branch across the public Internet. Which of the following components MUST be deployed at BOTH locations to terminate the tunnel and perform the necessary encryption and decryption operations?
Layer-2/3 switch configured for VLAN trunking
VPN-capable gateway device (firewall, router, or concentrator)
Simple Mail Transfer Protocol (SMTP) relay server
Standalone Network Time Protocol (NTP) stratum-1 server
A site-to-site VPN relies on a VPN-capable gateway-such as a firewall, router, or dedicated concentrator-at each end of the connection. These devices negotiate the tunnel (e.g., with IKE/IPsec), encrypt outbound traffic, and decrypt inbound traffic. Without a capable gateway at both the headquarters and the branch, a secure tunnel cannot be established or maintained; components like switches, NTP servers, or e-mail relays do not provide this functionality.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a VPN-capable gateway device?
Open an interactive chat with Bash
What is IKE/IPsec and how do they enable secure communication?
Open an interactive chat with Bash
Why can't components like VLAN switches or SMTP servers establish a site-to-site VPN?