求助ROS IPsec连接的问题，高手请进

jhzhu2003

现在ros与CISCO的2811进行VPN连接，是site-site的方式，我在网上查了一些资料，按以下文章做了连接：

routeros的大致配置过程：
================================
RouterOS是在vmware中进行测试了，虚拟了两个接口Ether1和Ethernet2， Ether1 的ip地址为192.168.1.18/24, Ether2的ip地址为10.1.1.1/24。

IPSec部分的配置命令为：
1）设置IKE Phase1的具体参数：
/ip ipsec peer add address=192.168.1.28 secret="cisco123" enc-algorithm=des

2）设置IKE Phase2的具体参数：
主要设置包括加密传输的算法和认证方式，缺省的auth-algorithm是sha1
/ip ipsec proposal set default enc-alogrithms=des

3）详细设置需要加密的数据流及IPSecVPN的方式:Tunnel/Transport Mode等
/ip ipsec policy add src-address=10.1.1.0/24 dst-address=10.1.2.0/24 action=encrypt tunnel=yes sa-src=192.168.1.18 sa-dst=192.168.1.28

另外，如果为了采用更强的加密方式3DES, 修改两者的IKE Phase1和Phase2的参数就可以了，但一定要匹配，才能保证IKE SA和IPSec SA的成功建立。

Cisco路由器的IPSec SA信息：
======================================
Cisco1721#sh crypto ipsec sa

interface: FastEthernet0
Crypto map tag: mymap, local addr. 192.168.1.28

protected vrf:
local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 192.168.1.18:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 56, #pkts encrypt: 56, #pkts digest 56
#pkts decaps: 48, #pkts decrypt: 48, #pkts verify 48
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 192.168.1.28, remote crypto endpt.: 192.168.1.18
path mtu 1500, media mtu 1500
current outbound spi: D2B7C901

inbound esp sas:
spi: 0x1FC07E86(532708998)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 200, flow_id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4424615/1005)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xD2B7C901(3535259905)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 201, flow_id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4424615/1005)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:

Cisco1721#

RouteROS的IPSec SA信息：
============================================
[admin@MikroTik] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs, M - manual
0 E spi=0x1FC07E86 direction=out src-address=192.168.1.18 dst-address=192.168.1.28 auth-algorithm=sha1
enc-algorithm=des replay=4 state=mature auth-key="88309c224c6ed89360737f9052b8ca3465d73e4a"
enc-key="eef065a84c5ae446" add-lifetime=48m/1h use-lifetime=0s/0s lifebytes=38252052/423624704
current-addtime=oct/07/2004 22:59:28 current-usetime=oct/07/2004 22:59:29 current-bytes=5184

1 E spi=0xD2B7C901 direction=in src-address=192.168.1.28 dst-address=192.168.1.18 auth-algorithm=sha1
enc-algorithm=des replay=4 state=mature auth-key="b8b7144e6cbeb3fc1960452c4da244726ef17dd8"
enc-key="9c8fd493ea2da1ec" add-lifetime=48m/1h use-lifetime=0s/0s lifebytes=38252052/423624704
current-addtime=oct/07/2004 22:59:28 current-usetime=oct/07/2004 22:59:29 current-bytes=4960
[admin@MikroTik] >


但是我设好后总是不能通，只有
[admin@MikroTik] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs, M - manual 其他的信息没有

ipsec peer 和ipsec proposal 下面的状态栏显示disabled
ip policy下面的状态栏显示no phase2

考虑是伪地址优先级的原因，也更改过，就是没有办法通，请高手帮帮忙解决一下了！