我设立Cisco 5585 ASA了IPsec与云社的一个隧道。

我们已经有很多用于各种云提供商和生活的隧道，如果很好，但最近这条隧道让我很难设置，这里是调试和配置

access-list ACL-VPN-CLOUD extended permit ip any4 object-group obj-NET-CLOUD

tunnel-group 193.164.94.47 type ipsec-l2l
tunnel-group 193.164.94.47 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 10 retry 10

crypto map CRYPTO-MAP 4202 match address ACL-VPN-CLOUD
crypto map CRYPTO-MAP 4202 set pfs group1
crypto map CRYPTO-MAP 4202 set peer 193.164.94.47
crypto map CRYPTO-MAP 4202 set ikev1 transform-set CLOUD-ESP-AES-MD5
crypto map CRYPTO-MAP 4202 set security-association lifetime seconds 86400

nat (any,outside) source static obj-NET-PRIVATE obj-NET-PRIVATE destination static obj-NET-CLOUD obj-NET-CLOUD

我可以看到阶段 1 已完成 show crypto isakmp sa

16  IKE Peer: 193.164.94.47
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

但是第 2 阶段在启动隧道时遇到问题，您可以在此处查看完整的调试https://pastebin.com/fX2tz29G

在调试中，我注意到以下错误，我已经交叉检查了所有转换集和 ACL，到目前为止一切看起来都很好。

Sep 15 03:14:33 [IKEv1]Group = 193.164.94.47, IP = 193.164.94.47, QM FSM error (P2 struct &0x00007f41f1085ae0, mess id 0xb6aed5ce)!
Sep 15 03:14:33 [IKEv1 DEBUG]Group = 193.164.94.47, IP = 193.164.94.47, IKE QM Initiator FSM error history (struct &0x00007f41f1085ae0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent