Kingsley, Hard-code the whole ISAKMP policy on the ASA and try it again.
Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Wed, Feb 10, 2010 at 4:51 PM, Kingsley Charles < [email protected]> wrote: > Hi all > > I was trying to bring an IPSec Lan to Lan connection between two ASAs but > in vain it didn't come up. Since, the debugs was not enough to troubleshoot, > I switched the IPSec between an ASA and router. > > The following was the debug crypto isakmo > > > Feb 10 21:24:58.508: ISAKMP: default group 1 > Feb 10 21:24:58.508: ISAKMP: encryption 3DES-CBC > Feb 10 21:24:58.508: ISAKMP: keylength of 56797 > Feb 10 21:24:58.508: ISAKMP: hash SHA > Feb 10 21:24:58.508: ISAKMP: auth pre-share > Feb 10 21:24:58.508: ISAKMP: life type in seconds > Feb 10 21:24:58.508: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 > Feb 10 21:24:58.508: ISAKMP:(0):Unexpected key length attribute > Feb 10 21:24:58.508: ISAKMP:(0):atts are not acceptable. Next payload is 0 > Feb 10 21:24:58.508: ISAKMP:(0):no offers accepted! > > > I have never seen this issue, hope it doesn't come in the lab. > > We can't do anything about the keylength that is being exchanged in DH > exchange :-( > > > With regards > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
