Kings What Piotr is referring to is actually specifying the whole ISAKMP policy in the configuration instead of relying on the default defined policies. Did you manually create the ISAKMP policy assigning a specific DH group to it? If so what group did you use?
Stu On Wed, Feb 10, 2010 at 5:22 PM, Kingsley Charles < [email protected]> wrote: > Hi Piotr > > I don't get meaning of hardcode. Do you mean to save the config with isakmp > policy abd reload? > > Or put all the combination of the isakmp policies? > > With regards > Kings > > > > > On Wed, Feb 10, 2010 at 9:52 PM, Piotr Kaluzny <[email protected]>wrote: > >> Kingsley, >> >> Hard-code the whole ISAKMP policy on the ASA and try it again. >> >> Regards, >> -- >> Piotr Kaluzny >> CCIE #25665 (Security), CCSP, CCNP >> Sr. Support Engineer - IPexpert, Inc. >> URL: http://www.IPexpert.com <http://www.ipexpert.com/> >> >> >> On Wed, Feb 10, 2010 at 4:51 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> Hi all >>> >>> I was trying to bring an IPSec Lan to Lan connection between two ASAs but >>> in vain it didn't come up. Since, the debugs was not enough to troubleshoot, >>> I switched the IPSec between an ASA and router. >>> >>> The following was the debug crypto isakmo >>> >>> >>> Feb 10 21:24:58.508: ISAKMP: default group 1 >>> Feb 10 21:24:58.508: ISAKMP: encryption 3DES-CBC >>> Feb 10 21:24:58.508: ISAKMP: keylength of 56797 >>> Feb 10 21:24:58.508: ISAKMP: hash SHA >>> Feb 10 21:24:58.508: ISAKMP: auth pre-share >>> Feb 10 21:24:58.508: ISAKMP: life type in seconds >>> Feb 10 21:24:58.508: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 >>> 0x80 >>> Feb 10 21:24:58.508: ISAKMP:(0):Unexpected key length attribute >>> Feb 10 21:24:58.508: ISAKMP:(0):atts are not acceptable. Next payload is >>> 0 >>> Feb 10 21:24:58.508: ISAKMP:(0):no offers accepted! >>> >>> >>> I have never seen this issue, hope it doesn't come in the lab. >>> >>> We can't do anything about the keylength that is being exchanged in DH >>> exchange :-( >>> >>> >>> With regards >>> Kings >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >> >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Regards, Stuart Hare CCIE #25616 (Security), CCSP, Microsoft MCP Sr. Support Engineer – IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
