ROS configuration
USG3000 configuration
ike proposal 1 (use the default configuration,the same as ros)
ike proposal 2
authentication-algorithm md5 (use MD5, the same as ros)
ike peer xianghe
exchange-mode aggressive (two ends all use aggressive mode)
pre-shared-key asdf5566
ike-proposal 2
remote-address 59.108.34.19
ipsec policy 2 25 isakmp
security acl 3017
ike-peer xianghe
proposal 1
acl number 3017
description for_xianghe
rule 15 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.0 0.0.0.255 (the interested flow and ros as mirror)
acl number 3001
description for_nat
rule 0 deny ip source 192.168.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255 (NAT deny go ipsec flow,ros do not exist the problem)rule 5 permit ip source 192.168.0.0 0.0.255.255
firewall interzone trust untrust
nat outbound 3001 interface GigabitEthernet0/0
interface GigabitEthernet0/0
mtu 1400
description to_wan_chengdu_wuhan
ip address 59.108.109.82 255.255.255.240
undo ip fast-forwarding qff (USG3000 need close the fast-forwarding function)
ipsec policy 2