Refer to the exhibit.

Which two changes must you make to the given IOS site-to-site VPN configuration to enable the
routers to form a connection? (Choose two.)

A.
Configure a valid route on Router A.

B.
Configure the access list on Router B to mirror Router A.

C.
Configure Router B’s ISAKMP policy to match the policy on Router A.

D.
Configure the tunnel modes on the two routers to match.

Explanation:
You must configure symmetric crypto ACLs for use by IPsec. Both inbound and outbound traffic
are evaluated against the same outbound IPsec ACL. The ACL criteria are applied in the forward
direction to traffic exiting your router, and the reverse direction to traffic entering your router. When
a router receives encrypted packets back from an IPsec peer, it uses the same ACL to determine
which inbound packets to decrypt by viewing the source and destination addresses in the ACL in
reverse order.
Note Important:
The crypto ACLs used by IPsec must mirror-image ACLs because both inbound and outbound
traffic is evaluated against the same outbound IPsec ACL. Also, the tunnel modes must match on
each end. Here we see that Router A is using transport mode while Router B is configured for
tunnel mode.
Reference: http://lonetsec.blogspot.com/2011/02/cisco-cli-site-to-site-ipsec-vpn.html