工程中实际情况是这样：
3台路由器分别为R1,R2,R3.R1端口f0/0和R2端口f0/0相连，网络地址为1.1.1.0/24，R2端口f0/1和R3端口f0/1相连,
网络地址为2.2.2.0/24.并且R1有lo0,IP地址为10.10.1.0/24,R3有lo0,IP地址为10.10.3.0/24.现在要求为：
在R2f0/0端口为2.2.2.0/24作pat nat,R1要用R2的f0/0端口和R3建立vpn。兴趣流量为R2和R3的lo0.
我做完NAT后，但R1和R3之间的隧道始终建立不起来？请教各位，给出一个解决方案。

解决方案:

由于没有真实的实验环境，我在记事本中写出如下配置：

R2:
int f0/0
ip nat outside

int f0/1
ip nat inside

ip nat inside source list 111 int f0/0 overload
access-list 111 permit ip 2.2.2.0 0.0.0.255 any

ip nat inside source static esp 2.2.2.3 int f0/0
ip nat inside source static udp 2.2.2.3 500 int f0/0 500

如果没有这二条命令,R3到R1隧道成功建立,但反之不行.二边NAT-T启用与否无关.
如果有这二条命令,任何一边都行,但R3必须产闭NAT-T.

R3:
no crypto ipsec nat-t udp-enc
access-list 134 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255

crypto iskmap policy 10
authen pre-share
hash md5

crypto iskamp key cisco address 1.1.1.1
crypto ipsec transform-set cisco esp-des esp-md5-hmac

crypto map cisco 10 ipsec-isakmp
match address 134
set peer 1.1.1.1
set transform-set cisco

int f0/1
crypto map cisco

R1:
access-list 134 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255

crypto isakmp policy 10
authen pre-share
hash md5

crypto isakmp key cisco address 1.1.1.2
crypto ipsec transform-sec CISCO esp-des esp-md5-hmac

crypto map CISCO 10 ipsec-isakmp
match address 134
set peer 1.1.1.2
set transform-set CISCO

int f0/0
crypto map CISCO

注释：

(1)
不在R3中配置
no crypto ipsec nat-transparency udp-encapsulation
不在R2中配置
ip nat inside source static esp 2.2.2.3 int f0/0
ip nat inside source static udp 2.2.2.3 500 int f0/0 500

则R3能建隧道,R1不能建隧道.

(2)
在R3/R1中配置
no crypto ipsec nat-transparency udp-encapsulation
但不在R2中配置
ip nat inside source static esp 2.2.2.3 int f0/0
ip nat inside source static udp 2.2.2.3 500 int f0/0 500

则R3能建隧道,R1不能建隧道.

(3)
在R3中配置
no crypto ipsec nat-transparency udp-encapsulation
并在R2中配置
ip nat inside source static esp 2.2.2.3 int f0/0
ip nat inside source static udp 2.2.2.3 500 int f0/0 500

则R1和R3均能从自己这一端建立隧道.