cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
296
Views
0
Helpful
12
Replies
Highlighted
Beginner

IKE Needs to Negotiate IPSec SAs Problem

Hi,

 

I have a network configuration with two routers and the internet in the middle with an ipsec VPN as backup. When I run simulation in packet tracer the packet stops at the firewall and this error comes up, "the interesting traffic can not be encrypted, IKE needs to negotiate IPSec SAs." Below are my configurations for one of the routers since they both get the same message. 

hostname FWB

!

!

!

!

!

!

!

!

no ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

!

crypto isakmp key vpnpa55 address 100.1.1.2

!

!

!

crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp

set peer 100.1.1.2

set transform-set VPN-SET

match address VPN-TRAFFIC

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

shutdown

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

ip address 100.2.2.2 255.255.255.252

ip access-group 120 in

ip nat outside

crypto map VPN-MAP

!

interface Serial0/0/1

bandwidth 64

ip address 192.168.20.1 255.255.255.252

ip nat inside

clock rate 64000

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list 100 interface Serial0/0/1 overload

ip classless

ip route 192.168.2.0 255.255.255.0 192.168.20.2

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

ip flow-export version 9

!

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

access-list 120 permit ip 200.3.4.0 0.0.0.255 any

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

 

Thanks,

Joe

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

Re: IKE Needs to Negotiate IPSec SAs Problem

Hello,

 

there were multiple problems with your configurations:

 

1. incorrect static routes on all 5 routers

2. incorrect NAT exemption statement for VPN traffic in NAT access lists (100)

3. NAT inside and outside interfaces switched

4. access-list 120 blocking all Internet inbound and outbound traffic

 

Review the attached file and see if you can make sense of it...

View solution in original post

12 REPLIES 12
Highlighted
Beginner

Re: IKE Needs to Negotiate IPSec SAs Problem

Here is my topology. 

Highlighted
VIP Mentor

Re: IKE Needs to Negotiate IPSec SAs Problem

Hello,

 

the problem is likely the IP addressing of your inside interface. You have configured:

 

interface Serial0/0/1

bandwidth 64

--> ip address 192.168.20.1 255.255.255.252

ip nat inside

clock rate 64000

 

while all your access lists specify 192.168.2.0/24. There also is a route that you don't need. It is probably faster to change the IP address of the inside interface, rather than to change all the access lists. So make the changes marked in bold:

 

interface Serial0/0/1

bandwidth 64

--> ip address 192.168.2.1 255.255.255.252

ip nat inside

clock rate 64000

!

ip nat inside source list 100 interface Serial0/0/1 overload

ip classless

--> no ip route 192.168.2.0 255.255.255.0 192.168.20.2

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

ip flow-export version 9

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

access-list 120 permit ip 200.3.4.0 0.0.0.255 any

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

Highlighted
Beginner

Re: IKE Needs to Negotiate IPSec SAs Problem

The 192.168.20.1 Is the IP that connects to router B. Router B's other IP is 192.168.20.2. I am pretty sure it does not have to be changed?

Highlighted
Hall of Fame Expert

Re: IKE Needs to Negotiate IPSec SAs Problem

Hello @Lesus ,

looking at your network topology diagram the IP subnet 192.168.2.0/24 is the LAN behind RTRB downstream FWB.

And your configuration of FWB looks like correct.

You need to verify the configuration of the IPSec peer regarding ISAKMP and regarding the ACL of interesting traffic.

The two ACLs must be a mirror of each other with a swap of the subnets with the following logic:

permit ip <local-LAN> <local-LAN-wildcard-mask> <remote-LAN> <remote-LAN-wildcard-mask>

 

Hope to help

Giuseppe

 

 

Highlighted
Beginner

Re: IKE Needs to Negotiate IPSec SAs Problem

I do have an ACL specifying both subnets that is mirrored like you said called VPN-TRAFFIC. Both the 192.168.1.0 and 192.168.2.0.

Highlighted
VIP Mentor

Re: IKE Needs to Negotiate IPSec SAs Problem

Hello,

 

I am lost to be honest:

 

interface Serial0/0/1

bandwidth 64

ip address 192.168.20.1 255.255.255.252

ip nat inside

clock rate 64000

 

How is that interface (ip nat inside) connected to the other router ? It is the inside. What traffic are you trying to encrypt ? Actually, post your zipped Packet Tracer project (.pkt) file here as an attachment...

Highlighted
Beginner

Re: IKE Needs to Negotiate IPSec SAs Problem

Sorry, very hard to explain everything! Attached is my .pkt file.

 

Thanks

Highlighted
VIP Mentor

Re: IKE Needs to Negotiate IPSec SAs Problem

Hello,

 

where is the attachment ?

Highlighted
Beginner

Re: IKE Needs to Negotiate IPSec SAs Problem

 
Highlighted
VIP Mentor

Re: IKE Needs to Negotiate IPSec SAs Problem

Hello,

 

there were multiple problems with your configurations:

 

1. incorrect static routes on all 5 routers

2. incorrect NAT exemption statement for VPN traffic in NAT access lists (100)

3. NAT inside and outside interfaces switched

4. access-list 120 blocking all Internet inbound and outbound traffic

 

Review the attached file and see if you can make sense of it...

View solution in original post

Highlighted
Beginner

Re: IKE Needs to Negotiate IPSec SAs Problem

Thank you, I now understand what I did wrong! Thanks for your help!

Highlighted
Beginner

Re: IKE Needs to Negotiate IPSec SAs Problem

192.168.2.0 is Host B's subnet just to add.