华为ENSP 配置ipsec IKE问题 ；两边不通。

zhen1006400

R1:

sys
sysname HF
dhcp enable
ip route-s 0.0.0.0 0 13.0.0.3
acl 3000
rule 1 permit ip s 192.168.10.0  0.0.0.255 des 192.168.20.0 0.0.0.255
acl 3001
rule 1 deny ip des  192.168.20.0 0.0.0.255
rule 2 permit ip

int g0/0/1
ip add 192.168.10.1 24
dhcp select interface
int g0/0/0
ip add 13.0.0.1 24
nat outbound 3001

ipsec proposa toSH
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha2-2
esp encryption-algorithm aes-256

ike proposal 10
authentication-method pre-share
authentication-algorithm md5
encryption-algorithm aes-cbc-128
dh group2
sa duration 3600

ike peer SH v1
exchange-mode main
pre-shared-key cipher  zhen
ike-proposal 10
local-address 13.0.0.1
remote-address 23.0.0.2

ipsec policy P1 1 isakmp
security acl 3000
ike-peer SH
proposal toSH
#
int g0/0/0
ipsec policy P1


R2:

sys
sysname SH
dhcp enable
ip route-s 0.0.0.0 0 23.0.0.2
acl 3000
rule 1 permit ip s 192.168.20.0  0.0.0.255 des 192.168.10.0 0.0.0.255
acl 3001
rule 1 deny ip des  192.168.10.0 0.0.0.255
rule 2 permit ip

int g0/0/1
ip add 192.168.10.1 24
dhcp select interface
int g0/0/0
ip add 23.0.0.2 24
nat outbound 3001



ipsec proposa toHF
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha2-2
esp encryption-algorithm aes-256

ike proposal 10
authentication-method pre-share
authentication-algorithm md5
encryption-algorithm aes-cbc-128
dh group2
sa duration 3600

ike peer HF v1
exchange-mode main
pre-shared-key cipher  zhen
ike-proposal 10
local-address 23.0.0.2
remote-address 13.0.0.1

ipsec policy P2 1 isakmp
security acl 3000
ike-peer HF
proposal toHF

int g0/0/0
ipsec policy P2