IPSec ACL is what we usually call VPN traffic of interest. In real life, problems caused by this ACL configuration error are very common. The typical error is “QM FSM error”, which can be checked by running “Debug Crypto isakmp” on PIX/ASA.

May 15 09:17:11 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X,
QM FSM error (P2 struct & 0x41f7f80, mess id 0x4d3d6016)!

May 15 09:17:11 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

May 15 09:17:11 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, Removing peer from correlator table failed, no match!

Cisco’s website explains the error log:

QM FSM Error

The IPsec L2L VPN tunnel does not come up on The PIX Firewall or ASA, and The QM FSM error message proves ambiguous. One possible reason is The proxy identities, such as interesting traffic, Access Control List (ACL) or crypto ACL, do not match on both the ends. Check the configuration on both the devices, and make sure that the crypto ACLs match.

This article explains the whole process of IKE and IPsec in detail:
http://jackiechen.blog.51cto.com/196075/158222

This article from “facing the sea, spring flowers” blog, declined to reprint!