Kings,
I think Piotr suggests that you type all the commands for ISAKMP policy, including the defaults. Johan From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: 10 February 2010 19:22 To: Piotr Kaluzny Cc: [email protected] Subject: Re: [OSL | CCIE_Security] IPSec lan to lan issue Hi Piotr I don't get meaning of hardcode. Do you mean to save the config with isakmp policy abd reload? Or put all the combination of the isakmp policies? With regards Kings On Wed, Feb 10, 2010 at 9:52 PM, Piotr Kaluzny <[email protected]> wrote: Kingsley, Hard-code the whole ISAKMP policy on the ASA and try it again. Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com <http://www.ipexpert.com/> On Wed, Feb 10, 2010 at 4:51 PM, Kingsley Charles <[email protected]> wrote: Hi all I was trying to bring an IPSec Lan to Lan connection between two ASAs but in vain it didn't come up. Since, the debugs was not enough to troubleshoot, I switched the IPSec between an ASA and router. The following was the debug crypto isakmo Feb 10 21:24:58.508: ISAKMP: default group 1 Feb 10 21:24:58.508: ISAKMP: encryption 3DES-CBC Feb 10 21:24:58.508: ISAKMP: keylength of 56797 Feb 10 21:24:58.508: ISAKMP: hash SHA Feb 10 21:24:58.508: ISAKMP: auth pre-share Feb 10 21:24:58.508: ISAKMP: life type in seconds Feb 10 21:24:58.508: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Feb 10 21:24:58.508: ISAKMP:(0):Unexpected key length attribute Feb 10 21:24:58.508: ISAKMP:(0):atts are not acceptable. Next payload is 0 Feb 10 21:24:58.508: ISAKMP:(0):no offers accepted! I have never seen this issue, hope it doesn't come in the lab. We can't do anything about the keylength that is being exchanged in DH exchange :-( With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
