MRS810-LM 3G+ipsec与中心ASA5520建立IPSECvpn

原来分支是通过ASA5505 通过pppoe+vpdn的方式连接到总部ASA5520访问资源正常的，现在客户环境要求进行了变化：

本端设备 H3C MSR810-LM

对端设备 Cisco ASA5520

（spoke）MSR810-LM-- 4G--Internet--Enternet--ASA5520-X（Hub）

4G可以正常上网。

MSR810本地，配置完ipsec并没有 ipsec 加密隧道信息，Ike第一阶段也没有。

IPSEC关键配置如下：

MSR 810-LM配置：

interface Eth-channel1/0:0
 dialer circular enable
 dialer-group 89
 dialer timer autodial 5
 dialer number #777 autodial
 ip address cellular-alloc
 tcp mss 1280
 nat outbound
 apn-profile apply profile69
 ipsec apply policy To_HUB

ipsec transform-set To_HUB
 esp encryption-algorithm des-cbc
 esp authentication-algorithm md5
#
ipsec policy To_HUB 65534 isakmp
 transform-set To_HUB
 security acl 3000
 remote-address *.*.*.*
 ike-profile To_HUB
 sa duration time-based 3600
 sa duration traffic-based 1843200
#
ike profile To_HUB
 keychain To_HUB
 dpd interval 300 on-demand
 match remote identity address *.*.*.* 255.255.255.255
 proposal 65534
#
ike proposal 65534
 dh group2
 authentication-algorithm md5
#
ike keychain To_HUB
 pre-shared-key address *.*.*.* 255.255.255.255 key cipher $c$3$MvltOMNRgNf/m4Wc/HNhoofc1pC54LcQ1q0=
#

ASA5520配置：

crypto ipsec transform-set tso esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map center-sh 20 set transform-set tso
crypto dynamic-map center-sh 20 set security-association lifetime seconds 28800
crypto dynamic-map center-sh 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map center-sh 20 set reverse-route
crypto map shanghai 20 ipsec-isakmp dynamic center-sh
crypto map shanghai interface outside
isakmp enable outside
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp nat-traversal  60
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group none
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key ****