IPSec ACL就是我们通常说的×××感兴趣流量。在实际的工作当中,由于这个ACL配置不当而造成的问题是很常见的。典型的报错为“QM FSM error”,可以在PIX/ASA上运行“debug crypto isakmp” 来查看。
May 15 09:17:11 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X,
QM FSM error (P2 struct &0x41f7f80, mess id 0x4d3d6016)!
May 15 09:17:11 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
May 15 09:17:11 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, Removing peer from correlator table failed, no match!
May 15 09:17:11 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
May 15 09:17:11 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, Removing peer from correlator table failed, no match!
QM FSM Error
The IPsec L2L ××× tunnel does not come up on the PIX firewall or ASA, and the QM FSM error message appears. One possible reason is the proxy identities, such as interesting traffic, Access Control List (ACL) or crypto ACL, do not match on both the ends. Check the configuration on both the devices, and make sure that the crypto ACLs match.
这篇文章详细讲解了整个IKE, IPsec的工作过程:
http://jackiechen.blog.51cto.com/196075/158222
转载于:https://blog.51cto.com/jackiechen/158232
3445
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
