MSR 810-LM和MSR 3660 想实现总部对分支之间的数据访问，但是失败

MSR 810-LM分支路由器，4G拨号上网IP不固定，MSR 3660 总部路由器外网为固定地址,想实现总部对分支之间的数据访问，现在总部和分支机构都能正常上外网。但是PING对方局域网不通。 请大侠们看看我的配置是啥问题

总部配置如下（H3C MSR3660 )

version 7.1.059, Release 0306P80

#

 dhcp enable

#

vlan 1

#

dhcp server ip-pool IP12

 gateway-list 192.168.13.254

 address range 192.168.13.90 192.168.13.99

 dns-list 218.30.19.40 61.134.1.4

#

interface Ethernet4/3

 port link-mode route

 description Link-To-DianXin

 ip address 161.150.115.182 255.255.255.224

 nat outbound 3000

 ipsec apply policy zongbu

#

interface NULL0

#

interface GigabitEthernet0/1

 port link-mode route

 description Link-To-ShenMu_3层赫斯曼

 combo enable fiber

 ip address 192.168.13.254 255.255.254.0

 dhcp server apply ip-pool ip12

#

 ip route-static 0.0.0.0 0 161.150.115.161

acl advanced 3000

 rule 0 permit ip source 192.168.0.0 0.0.255.255

 rule 1 deny ip source 192.168.12.0 0.0.1.255 destination 192.168.240.0 0.0.0.255

#

acl advanced 3001

 rule 0 permit ip source 192.168.12.0 0.0.0.255 destination 192.168.240.0 0.0.0.255

#              

domain system

 authentication ppp local

#

ipsec transform-set 1

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm md5

#

ipsec transform-set tran1

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec policy-template t1 1

 transform-set 1

 security acl 3001

 ike-profile RTA

#

ipsec policy zongbu 1 isakmp template t1

#

 ike identity fqdn zongbu

#

ike profile RTA

 keychain RTA

 exchange-mode aggressive

 local-identity fqdn zongbu

 match remote identity fqdn RTA

 proposal 1

#

ike proposal 1

 encryption-algorithm 3des-cbc

 authentication-algorithm md5

#

ike keychain RTA

 pre-shared-key hostname RTA key  simple 123456

#

return

分支机构配置如下

 version 7.1.064, Release 0707P15

#

 dialer-group 1 rule ip permit

#

 dhcp enable

#

dhcp server ip-pool ip240

 gateway-list 192.168.240.254

 network 192.168.240.0 mask 255.255.255.0

 address range 192.168.240.90 192.168.240.99

 dns-list 114.114.114.114

#

controller Cellular0/0

#

controller Cellular1/0

 eth-channel 0

#

interface GigabitEthernet0/4

 port link-mode route

 ip address 192.168.240.254 255.255.255.0

 nat outbound 3000

 dhcp server apply ip-pool ip240

#

interface Eth-channel1/0:0

 dialer circular enable

 dialer-group 1

 dialer timer idle 0

 dialer timer autodial 60

 dialer number *777# autodial

 ip address cellular-alloc

 nat outbound 3000

 ipsec apply policy RTA

#

security-zone name Local

#

security-zone name Trust

#

security-zone name DMZ

#

security-zone name Untrust

#              

security-zone name Management

#

 scheduler logfile size 16

#

 ip route-static 0.0.0.0 0 Eth-channel1/0:0 preference 70

#

acl advanced 3000

 rule 0 permit ip source 192.168.240.0 0.255.255.255

 rule 2 deny ip source 192.168.240.0 0.0.0.255 destination 192.168.12.0 0.0.1.255

#

acl advanced 3001

 rule 0 permit ip source 192.168.240.0 0.0.0.255 destination 192.168.12.0 0.0.1.255

#

ipsec transform-set 1

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm md5

#

ipsec transform-set V5

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm md5

#

ipsec policy RTA 1 isakmp

 transform-set 1

 security acl 3001

 remote-address 161.150.115.182

 ike-profile RTA

#

 ike identity fqdn RTA

#

ike profile RTA

 keychain RTA

 exchange-mode aggressive

 local-identity fqdn RTA

 match remote identity fqdn zongbu

 proposal 1

#

ike proposal 1

 encryption-algorithm 3des-cbc

 authentication-algorithm md5

#

ike keychain RTA

 pre-shared-key address 161.150.115.182 255.255.255.255 key  simple 123456

#

现在总部和分支机构都能正常上外网。但是PING对方局域网不通

MSR 810-LM分支1路由器采用4G拨号方式上网，IP地址不固定。MSR 3660 总部路由器外网口G0/1的地址为公网固定地址,要实现总部对分支1所在的内网（192.168.240.0/24）与总部路由器所在的内网（192.168.12.0/23）之间的数据流进行安全保护，实现两端内网终端通过与总部建立IPsec VPN 隧道进行互访