IPSec ACL就是我们通常说的×××感兴趣流量。在实际的工作当中,由于这个ACL配置不当而造成的问题是很常见的。典型的报错为“QM FSM error”,可以在PIX/ASA上运行“debug crypto isakmp” 来查看。
May 15 09:17:11 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, QM FSM error (P2 struct &0x41f7f80, mess id 0x4d3d6016)!
May 15 09:17:11 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
May 15 09:17:11 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, Removing peer from correlator table failed, no match!
May 15 09:17:11 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
May 15 09:17:11 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, Removing peer from correlator table failed, no match!
这篇文章详细讲解了整个IKE, IPsec的工作过程:http://jackiechen.blog.51cto.com/196075/158222
