Kingsley,
I have seen it one time before and the fix for me was to configure the whole policy as already mentioned and to use md5 for the has instead of sha when using 3des. I am not sure if specifying it all was the fix or using md5 as the hash. I didn't dive into it further for root cause at the time. crypto isakmp policy 10 encryption 3des authentication pre-share hash md5 group 2 Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Wednesday, February 10, 2010 1:50 PM To: Stuart Hare Cc: [email protected] Subject: Re: [OSL | CCIE_Security] IPSec lan to lan issue Hi Stu I did configure an ISAKMP policy. But I have never seen key lenght in the ISAKMP negotiations before. Tried combination of various ISAKMP policies but hit the same issue. With regards Kings On Thu, Feb 11, 2010 at 12:02 AM, Stuart Hare <[email protected]> wrote: Kings What Piotr is referring to is actually specifying the whole ISAKMP policy in the configuration instead of relying on the default defined policies. Did you manually create the ISAKMP policy assigning a specific DH group to it? If so what group did you use? Stu On Wed, Feb 10, 2010 at 5:22 PM, Kingsley Charles <[email protected]> wrote: Hi Piotr I don't get meaning of hardcode. Do you mean to save the config with isakmp policy abd reload? Or put all the combination of the isakmp policies? With regards Kings On Wed, Feb 10, 2010 at 9:52 PM, Piotr Kaluzny <[email protected]> wrote: Kingsley, Hard-code the whole ISAKMP policy on the ASA and try it again. Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com <http://www.ipexpert.com/> On Wed, Feb 10, 2010 at 4:51 PM, Kingsley Charles <[email protected]> wrote: Hi all I was trying to bring an IPSec Lan to Lan connection between two ASAs but in vain it didn't come up. Since, the debugs was not enough to troubleshoot, I switched the IPSec between an ASA and router. The following was the debug crypto isakmo Feb 10 21:24:58.508: ISAKMP: default group 1 Feb 10 21:24:58.508: ISAKMP: encryption 3DES-CBC Feb 10 21:24:58.508: ISAKMP: keylength of 56797 Feb 10 21:24:58.508: ISAKMP: hash SHA Feb 10 21:24:58.508: ISAKMP: auth pre-share Feb 10 21:24:58.508: ISAKMP: life type in seconds Feb 10 21:24:58.508: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Feb 10 21:24:58.508: ISAKMP:(0):Unexpected key length attribute Feb 10 21:24:58.508: ISAKMP:(0):atts are not acceptable. Next payload is 0 Feb 10 21:24:58.508: ISAKMP:(0):no offers accepted! I have never seen this issue, hope it doesn't come in the lab. We can't do anything about the keylength that is being exchanged in DH exchange :-( With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> -- Regards, Stuart Hare CCIE #25616 (Security), CCSP, Microsoft MCP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
