Solved: Re: IKE Needs to Negotiate IPSec SAs Problem

Lesus · ‎05-21-2020

Hi,

I have a network configuration with two routers and the internet in the middle with an ipsec VPN as backup. When I run simulation in packet tracer the packet stops at the firewall and this error comes up, "the interesting traffic can not be encrypted, IKE needs to negotiate IPSec SAs." Below are my configurations for one of the routers since they both get the same message.

hostname FWB

!

no ip cef

no ipv6 cef

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

!

crypto isakmp key vpnpa55 address 100.1.1.2

!

crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp

set peer 100.1.1.2

set transform-set VPN-SET

match address VPN-TRAFFIC

!

spanning-tree mode pvst

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

shutdown

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

ip address 100.2.2.2 255.255.255.252

ip access-group 120 in

ip nat outside

crypto map VPN-MAP

!

interface Serial0/0/1

bandwidth 64

ip address 192.168.20.1 255.255.255.252

ip nat inside

clock rate 64000

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list 100 interface Serial0/0/1 overload

ip classless

ip route 192.168.2.0 255.255.255.0 192.168.20.2

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

ip flow-export version 9

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

access-list 120 permit ip 200.3.4.0 0.0.0.255 any

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

Thanks,

Joe

Georg Pauwen · ‎05-22-2020

Hello,

there were multiple problems with your configurations:

1. incorrect static routes on all 5 routers

2. incorrect NAT exemption statement for VPN traffic in NAT access lists (100)

3. NAT inside and outside interfaces switched

4. access-list 120 blocking all Internet inbound and outbound traffic

Review the attached file and see if you can make sense of it...

View solution in original post

Lesus · ‎05-21-2020

Here is my topology.

Georg Pauwen · ‎05-22-2020

Hello,

the problem is likely the IP addressing of your inside interface. You have configured:

interface Serial0/0/1

bandwidth 64

--> ip address 192.168.20.1 255.255.255.252

ip nat inside

clock rate 64000

while all your access lists specify 192.168.2.0/24. There also is a route that you don't need. It is probably faster to change the IP address of the inside interface, rather than to change all the access lists. So make the changes marked in bold:

interface Serial0/0/1

bandwidth 64

--> ip address 192.168.2.1 255.255.255.252

ip nat inside

clock rate 64000

!

ip nat inside source list 100 interface Serial0/0/1 overload

ip classless

--> no ip route 192.168.2.0 255.255.255.0 192.168.20.2

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

ip flow-export version 9

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

access-list 120 permit ip 200.3.4.0 0.0.0.255 any

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

Lesus · ‎05-22-2020

The 192.168.20.1 Is the IP that connects to router B. Router B's other IP is 192.168.20.2. I am pretty sure it does not have to be changed?

Giuseppe Larosa · ‎05-22-2020

Hello @Lesus ,

looking at your network topology diagram the IP subnet 192.168.2.0/24 is the LAN behind RTRB downstream FWB.

And your configuration of FWB looks like correct.

You need to verify the configuration of the IPSec peer regarding ISAKMP and regarding the ACL of interesting traffic.

The two ACLs must be a mirror of each other with a swap of the subnets with the following logic:

permit ip <local-LAN> <local-LAN-wildcard-mask> <remote-LAN> <remote-LAN-wildcard-mask>

Hope to help

Giuseppe

Lesus · ‎05-22-2020

I do have an ACL specifying both subnets that is mirrored like you said called VPN-TRAFFIC. Both the 192.168.1.0 and 192.168.2.0.

Georg Pauwen · ‎05-22-2020

Hello,

I am lost to be honest:

interface Serial0/0/1

bandwidth 64

ip address 192.168.20.1 255.255.255.252

ip nat inside

clock rate 64000

How is that interface (ip nat inside) connected to the other router ? It is the inside. What traffic are you trying to encrypt ? Actually, post your zipped Packet Tracer project (.pkt) file here as an attachment...

Lesus · ‎05-22-2020

Sorry, very hard to explain everything! Attached is my .pkt file.

Thanks

Georg Pauwen · ‎05-22-2020

Hello,

where is the attachment ?

Lesus · ‎05-22-2020

Georg Pauwen · ‎05-22-2020

Hello,

there were multiple problems with your configurations:

1. incorrect static routes on all 5 routers

2. incorrect NAT exemption statement for VPN traffic in NAT access lists (100)

3. NAT inside and outside interfaces switched

4. access-list 120 blocking all Internet inbound and outbound traffic

Review the attached file and see if you can make sense of it...

Lesus · ‎05-22-2020

Thank you, I now understand what I did wrong! Thanks for your help!

Lesus · ‎05-22-2020

192.168.2.0 is Host B's subnet just to add.