Main configuration on RouterA:
acl number 3000
rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 20 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 30 permit ip source 192.168.202.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 40 permit ip source 192.168.201.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 50 deny ip
ipsec proposal 2
ike proposal 2
ike peer aaa v1
ipsec policy-template hrui 10
security acl 3000
ipsec policy huir 10 isakmp template hrui
1. After an IPSec tunnel is set up, users cannot access the public network (such traffic does not need to be encrypted using IPSec). After the IPSec policy is unbound from the interface, users can access the public network.
2. Four permit ACL rules are configured, but traffic matching only one permit rule can be transmitted.
Upgrade the ARs at both ends to V200R002 or later.
1. The ACL bound to the IPSec policy defines a deny rule. RouterA of V200R001C01SPC500 does not support the deny rule and discards packets matching the deny rule by default. After the deny rule is deleted, the fault is rectified.
V200R002 does not use IPSec to encapsulate packets matching the deny rule and does not discard such packets.
2. There are differences between versions. One end uses V200R001, and the other end uses V200R002. In V200R001, an SA is negotiated based on the ACL number. In V200R002, an SA is negotiated based on the ACL rule. Therefore, one SA is negotiated on the AR of V200R001, and four SAs are negotiated on the AR of V200R002. In this case, only traffic matching one ACL rule can be transmitted. After the AR is upgraded to V200R002, the fault is rectified.
There are feature differences between versions. It is recommended that connected devices use the same version.