access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 nat (inside) 0 access-list 101 ! sysopt connection permit-ipsec ! crypto ipsec transform-set MySet esp-3des esp-sha-hmac ! crypto map MyMap 1 ipsec-isakmp crypto map MyMap 1 match address 101 crypto map MyMap 1 set peer 10.11.0.2 crypto map MyMap 1 set transform-set MySet crypto map MyMap 10 set security-association lifetime seconds 86400 crypto map MyMap interface outside ! isakmp enable outside isakmp key gsdhg%#@&$*&#$U782GY#JG#HJ1231 address 10.11.0.2 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 86400

　　在 MikroTik routeros上面设置：

/ip ipsec peer add secret="gsdhg%#@&$*&#$U782GY#JG#HJ1231" address=10.11.0.2/32 \ \... enc-algorithm=3des hash-algorithm=sha1 dh-group=modp1024 lifetime=1d /ip ipsec proposal add auth-algorithms=sha1 enc-algorithm=3des lifetime=1d /ip ipsec policy add src-address 192.168.1.0/24 dst-address=192.168.0.0/24 \ \... sa-src-address=10.0.0.1 sa-dst-address=10.11.0.2 ipsec-protocols=esp action=encrypt level=require tunnel=yesRetrieved from "http://wiki.mikrotik.com/wiki/IPsec"