RouterOS IPSec 另一段不能访问 请大家帮忙 谢谢

datran

routeros 2.9.27 与 DrayTek Vigor2910

   ros     LAN :192.168.68.0/24
           WAN :58.60.116.50

Vigor 2910 Lan:10.10.1.0/24
           Wan:202.198.128.33

建立了IPSec 后，10.10.1.0/24网段可以PING通192.168.68.0/24网段，并可以网上邻居共享。但ROS和192.168.68.0/24网PC却PING不通10.10.1.0/24网段。

ROS LOG 记录
ipsec ike info:responding phase 2 (src58.60.116.50) (dst 202.198.128.33)
ipsec ike info:received ISAKMP packet from 202.198.128.33:500,phase 2,Quick

ipsec warning:decrypted packed did not match policy


---------------------------------------
ROS IPSEC 配置
[admin@HOME] ip ipsec> export
# mar/30/2008 05:03:10 by RouterOS 2.9.27
# software id = TFSH-9LN
#
/ ip ipsec policy
add src-address=192.168.68.0/24:any dst-address=10.10.1.0/24:any protocol=all \
    action=encrypt level=require ipsec-protocols=esp tunnel=yes \
    sa-src-address=58.60.116.50 sa-dst-address=202.198.128.33 proposal=GH2 \
    manual-sa=none dont-fragment=clear disabled=no
/ ip ipsec peer
add address=202.198.128.33/32:500 secret="123456" generate-policy=no \
    exchange-mode=main send-initial-contact=yes proposal-check=obey \
    hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d \
    lifebytes=0 disabled=no
/ ip ipsec proposal
add name="GH2" auth-algorithms=md5,sha1 enc-algorithms=3des,aes-128 \
    lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no

请大家帮我看下我的ROS哪里有问题，谢谢大家！

smarten

你还能做成功,就不错了,应该跟地址转换有关,谁有跟安奈特R750S路由器建立IPSEC的实利啊?