H3C MSR 20-20 用命令行参照web配置IPSec VPN不能与华为AR路由器连通

各位好，现有一个问题咨询各位：

问题描述：H3C MSR 20-20 用web配置IPSec VPN后，可以与华为AR系列路由器进行互访，但清除H3C MSR 20-20 IPSec VPN的web配置后，用命令行参照原web页面命令行的配置，用命令进行IPSec VPN进行配置后，发现不能与华为AR路由器进行互访，在web页面查询IPSec VPN的监控信息的“最近一次连接错误”为ERROR_NONE。

问题1，不知道用什么命令进行错误查找？

    2、不知道配置错误在哪？（请各位指正）

    3、请问预共享密钥pre-shared-key cipher “123456”中的“123456”是否有格式和长度的要求，太短提示错误Error: Failed to set key string.

配置信息如下：

[1#]dis cur

#

 version 5.20, Release 2514P01, Basic

#

ike local-name 1#

#

dar p2p signature-file cfa0:/p2p_default.mtd

port-security enable

#

 password-recovery enable

#

acl number 2000

 description NAT-address-and-NAT-limit-Acl

 rule 0 permit source 172.16.100.0 0.0.0.255

 rule 1000 deny

#

acl number 3071

 rule 0 permit ip source 172.16.100.0 0.0.0.255 destination 172.16.71.0 0.0.0.255

 rule 5 permit ip source 172.16.100.0 0.0.0.255 destination 172.16.72.0 0.0.0.255

 rule 10 permit ip source 172.16.100.0 0.0.0.255 destination 172.16.73.0 0.0.0.255

 rule 15 permit ip source 172.16.100.0 0.0.0.255 destination 172.16.74.0 0.0.0.255

 rule 20 permit ip source 172.16.100.0 0.0.0.255 destination 172.16.75.0 0.0.0.255

#

vlan 1

#

domain system

 access-limit disable

 state active

 idle-cut disable

 self-service-url disable

#

ike proposal 71

 authentication-algorithm md5

#

ike peer tofenzhi71yj

 proposal 71

pre-shared-key cipher 123456

 remote-address 60.219.X.X

 local-address 60.15.X.X

 nat traversal

#

ipsec transform-set tofenzhi71yj

 encapsulation-mode tunnel

 transform esp

 esp authentication-algorithm md5

 esp encryption-algorithm des

#

ipsec policy 983040 71 isakmp

 connection-name tofenzhi71yj

 security acl 3071

 ike-peer tofenzhi71yj

 transform-set tofenzhi71yj

 sa duration traffic-based 1843200

 sa duration time-based 3600

#

dhcp server ip-pool 1

 network 172.16.100.0 mask 255.255.255.0

 gateway-list 172.16.100.1

 dns-list 202.97.224.69 202.97.224.68

#

user-group system

 group-attribute allow-guest

#

interface Ethernet0/0

 port link-mode route

 description connect-WAN

nat outbound 2000

ip address 60.15.X.X 255.255.255.224

 ipsec no-nat-process enable

 ipsec policy 983040

#              

interface Ethernet0/1

 port link-mode route

 description connect-LAN

 ip address 172.16.100.1 255.255.255.0

#

interface NULL0

4、调试信息如下：

 [1#]display ike proposal

 priority authentication authentication encryption Diffie-Hellman duration

              method       algorithm    algorithm     group       (seconds)

---------------------------------------------------------------------------

  71       PRE_SHARED     MD5         DES_CBC         MODP_768       86400

  default  PRE_SHARED     SHA         DES_CBC         MODP_768       86400

[1#]display ike sa

    total phase-1 SAs:  0

    connection-id  peer                    flag        phase   doi

  ----------------------------------------------------------------

     41            <unnamed>               NONE        1       IPSEC

  flag meaning

  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT RK--REKEY

 [1#]display ipsec sa

 [1#] 

不当之处敬请指正，谢谢！