Problem:
When the local security device received an IKE Phase 2 message from the specified peer, it could not check for a policy because the ID mode was set to IP or policy checking was disabled. If the ID mode is set to IP, the remote peer does not send the proxy ID payload when initiating a Phase 2 session. The proxy ID consists of the local end entity’s IP address and netmask, protocol, and port number, as well as those items for the remote end entity. Consequently, the local peer cannot use the information in the proxy ID to match the information in a local policy. If policy checking is disabled for IKE traffic with the specified peer, the IKE module builds security association (SA) without verifying the policy configuration.
Verify if this behavior is intended. If not, set the ID mode to subnet (set IKE ID mode subnet) and enable policy checking ( set IKE policy checking ).
Lösung:
set ike policy-checking
einschalten