Re: IPsec site-to-site VPN MSR 900

Tested and worked.

acl number 3140
rule 0 permit ip source 192.168.236.0 0.0.0.255 destination 192.168.221.0 0.0.0.255
rule 1 permit ip source 192.168.236.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

acl number 3150
rule 0 deny ip source any destination 192.168.221.0 0.0.0.255
rule 1 deny ip source any destination 10.0.0.0 0.0.0.255
rule 2 permit ip source 192.168.236.0 0.0.0.255

interface Ethernet0/0
port link-mode route
nat outbound 3150
ip address Y.Y.Y.Y 255.255.255.252
ipsec policy mlszs2s
dns server Y.Y.Y.X

ipsec policy mlszs2s 1 isakmp
connection-name mlsz_center
security acl 3140
ike-peer mlsz_center
proposal mlsz_globall

need to deal with acl very carefully. otherwise our device or network maybe under attack.