05-21-2020 10:35 PM
Hi,
I have a network configuration with two routers and the internet in the middle with an ipsec VPN as backup. When I run simulation in packet tracer the packet stops at the firewall and this error comes up, "the interesting traffic can not be encrypted, IKE needs to negotiate IPSec SAs." Below are my configurations for one of the routers since they both get the same message.
hostname FWB
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp key vpnpa55 address 100.1.1.2
!
!
!
crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
!
crypto map VPN-MAP 10 ipsec-isakmp
set peer 100.1.1.2
set transform-set VPN-SET
match address VPN-TRAFFIC
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 100.2.2.2 255.255.255.252
ip access-group 120 in
ip nat outside
crypto map VPN-MAP
!
interface Serial0/0/1
bandwidth 64
ip address 192.168.20.1 255.255.255.252
ip nat inside
clock rate 64000
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 100 interface Serial0/0/1 overload
ip classless
ip route 192.168.2.0 255.255.255.0 192.168.20.2
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip flow-export version 9
!
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip 200.3.4.0 0.0.0.255 any
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Thanks,
Joe
Solved! Go to Solution.
05-22-2020 01:03 PM
Hello,
there were multiple problems with your configurations:
1. incorrect static routes on all 5 routers
2. incorrect NAT exemption statement for VPN traffic in NAT access lists (100)
3. NAT inside and outside interfaces switched
4. access-list 120 blocking all Internet inbound and outbound traffic
Review the attached file and see if you can make sense of it...
05-21-2020 10:43 PM
05-22-2020 12:09 AM
Hello,
the problem is likely the IP addressing of your inside interface. You have configured:
interface Serial0/0/1
bandwidth 64
--> ip address 192.168.20.1 255.255.255.252
ip nat inside
clock rate 64000
while all your access lists specify 192.168.2.0/24. There also is a route that you don't need. It is probably faster to change the IP address of the inside interface, rather than to change all the access lists. So make the changes marked in bold:
interface Serial0/0/1
bandwidth 64
--> ip address 192.168.2.1 255.255.255.252
ip nat inside
clock rate 64000
!
ip nat inside source list 100 interface Serial0/0/1 overload
ip classless
--> no ip route 192.168.2.0 255.255.255.0 192.168.20.2
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip flow-export version 9
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip 200.3.4.0 0.0.0.255 any
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
05-22-2020 12:29 AM
The 192.168.20.1 Is the IP that connects to router B. Router B's other IP is 192.168.20.2. I am pretty sure it does not have to be changed?
05-22-2020 12:45 AM
Hello @Lesus ,
looking at your network topology diagram the IP subnet 192.168.2.0/24 is the LAN behind RTRB downstream FWB.
And your configuration of FWB looks like correct.
You need to verify the configuration of the IPSec peer regarding ISAKMP and regarding the ACL of interesting traffic.
The two ACLs must be a mirror of each other with a swap of the subnets with the following logic:
permit ip <local-LAN> <local-LAN-wildcard-mask> <remote-LAN> <remote-LAN-wildcard-mask>
Hope to help
Giuseppe
05-22-2020 01:37 AM
I do have an ACL specifying both subnets that is mirrored like you said called VPN-TRAFFIC. Both the 192.168.1.0 and 192.168.2.0.
05-22-2020 01:01 AM - edited 05-22-2020 01:03 AM
Hello,
I am lost to be honest:
interface Serial0/0/1
bandwidth 64
ip address 192.168.20.1 255.255.255.252
ip nat inside
clock rate 64000
How is that interface (ip nat inside) connected to the other router ? It is the inside. What traffic are you trying to encrypt ? Actually, post your zipped Packet Tracer project (.pkt) file here as an attachment...
05-22-2020 01:09 AM
Sorry, very hard to explain everything! Attached is my .pkt file.
Thanks
05-22-2020 02:57 AM
Hello,
where is the attachment ?
05-22-2020 11:43 AM
05-22-2020 01:03 PM
Hello,
there were multiple problems with your configurations:
1. incorrect static routes on all 5 routers
2. incorrect NAT exemption statement for VPN traffic in NAT access lists (100)
3. NAT inside and outside interfaces switched
4. access-list 120 blocking all Internet inbound and outbound traffic
Review the attached file and see if you can make sense of it...
05-22-2020 01:44 PM
Thank you, I now understand what I did wrong! Thanks for your help!
05-22-2020 12:33 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide