interface GigabitEthernet1/0/1
 port link-mode route
 combo enable copper
 ip address 192.168.0.2 255.255.255.0
 ipsec apply policy H3C_outside
#
interface GigabitEthernet1/0/2
 port link-mode route
 combo enable copper
 ip address 2.2.2.2 255.255.255.0
#
security-zone name Trust
 import interface GigabitEthernet1/0/2
#
security-zone name Untrust
 import interface GigabitEthernet1/0/1
#
ip route-static 1.1.1.0 24 192.168.0.1
ip route-static 11.11.11.11 32 192.168.0.1
#
acl advanced 3000
 rule 0 permit ip source 22.22.22.22 0 destination 11.11.11.11 0
#
acl advanced 3101
 rule 0 permit ip source 2.2.2.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
 rule 1 permit ip source 192.168.1.2 0 destination 1.1.1.0 0.0.0.255
#
ipsec transform-set H3C_01
 esp encryption-algorithm aes-cbc-256 
 esp authentication-algorithm sha256 
 pfs dh-group14
#
ipsec transform-set H3C_02
 esp encryption-algorithm aes-cbc-256 
 esp authentication-algorithm sha256 
 pfs dh-group20
#              
ipsec policy H3C_outside 3 isakmp
 transform-set H3C_02 
 security acl 3000 
 local-address 192.168.0.2
 remote-address 192.168.0.1 
 ikev2-profile H3C_01
 sa trigger-mode auto
 sa duration time-based 10800
#
ipsec policy H3C_outside 4 isakmp
 transform-set H3C_01 
 security acl 3101 
 local-address 192.168.0.2
 remote-address 192.168.0.1 
 ike-profile H3C_01
 sa trigger-mode auto
 sa duration time-based 28800
#
nat global-policy
 rule name rule1
  source-ip host 1.1.1.3
  destination-ip host 192.168.1.2
  action snat static ip-address 192.168.1.2
  action dnat ip-address 2.2.2.4
  counting enable
#
ike profile H3C_01
 keychain H3C_01
 local-identity address 192.168.0.2
 match remote identity address 192.168.0.1 255.255.255.255
 proposal 1 
#
ike proposal 1
 encryption-algorithm aes-cbc-256
 dh group14
 authentication-algorithm sha256
#
ike keychain H3C_01
 match local address 192.168.0.2
 pre-shared-key address 192.168.0.1 255.255.255.255 key cipher $c$3$53T/ZnnTxKZuJus5xDEKTX7Ps1qXIWPTUQ==
#
 ip http enable
 ip https enable
#
ikev2 keychain keychain2
 peer peer1    
  address 192.168.0.1 255.255.255.255
  identity address 192.168.0.1
  pre-shared-key ciphertext $c$3$puaekut/i+IQR/oO0QHo65lWrcKfn/0JpG4=
#
ikev2 profile H3C_01
 authentication-method local pre-share
 authentication-method remote pre-share
 keychain keychain2
 match remote identity address 192.168.0.1 255.255.255.255
#
ikev2 proposal H3C_01
 encryption aes-cbc-256 
 integrity sha256 
 dh group20 
#
ikev2 policy H3C
 priority 10
 proposal H3C_01 
#
security-policy ip
 rule 0 name trust-untrust
  action pass
  source-zone Trust
  source-zone Untrust
  source-zone local
  destination-zone Trust
  destination-zone Untrust
  destination-zone local
#
return