MSR3620搭建ipsec隧道后连接成功，数据能入不能出。

MSR3620和爱快组件ipsec隧道，以点对多点的组网方式搭建，能连接上，但ping不通对端内网，本端出现如下图情况，配置下来折腾了一段时间，总是欠缺了一点东西，不知道怎么补上。

#

 interface GigabitEthernet0/0

 port link-mode route

 combo enable copper

 ip address 192.168.2.1 255.255.0.0

 tcp mss 1280

#

 interface GigabitEthernet0/2

 port link-mode route

 description Multiple_Line

 bandwidth 1000000

 combo enable copper

 ip address 183.239.XXX.XXX 255.255.255.0

 dns server 211.136.192.6

 dns server 202.96.128.86

 nat outbound 3000

 ipsec apply policy gl  

#

 object-policy ip Any-Any rule 0 pass counting 

#

 security-zone name Local 

#

 security-zone name Trust 

# 

security-zone name DMZ

#

 security-zone name Untrust 

#

 security-zone name Management 

#

 zone-pair security source Any destination Any object-policy apply ip Any-Any 

#

 scheduler logfile size 16 

#

 ip route-static 0.0.0.0 0 Dialer0 preference 10

 ip route-static 0.0.0.0 0 GigabitEthernet0/2 183.239.XXX.XXX preference 12 

#

 acl basic name connlimitAcl_766

 rule 65534 permit source object-group connlimitObjGrp_766 

#

 acl basic name connlimitAcl_32_256 rule 65534 permit 

#

 acl advanced 3000 rule 0 permit ip source 192.168.0.0 0.0.255.255

 rule 1 permit ip source 192.168.2.0 0.0.1.255 destination 192.169.9.0 0.0.0.255 

#

 ipsec transform-set gl esp encryption-algorithm des-cbc esp authentication-algorithm sha1 

#

 ipsec policy-template gl 65535

 transform-set gl

 ike-profile gl

 sa duration time-based 86400

 sa duration traffic-based 1843200

#

 ipsec policy gl 65535 isakmp template gl 

#

 ike profile gl keychain gl

 dpd interval 60 on-demand

 match remote identity address 0.0.0.0 0.0.0.0 proposal 65535 

#

 ike proposal 65535 

#

 ike keychain gl pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$32S0s7AW16NqgFpm2pX/VV9Upz+3niJjdg== 

#

 wlan global-configuration 

#

 wlan ap-group default-group vlan 1 

#

 return