FG 620B 4.0 MR2 patch 1
 Interface mode IPsec
 
 Trying to bring IPsec tunnels up. the monitor show the tunnel is up.
 No traffic (echo) is passing.
 
 First step was;
 
 chifgt02 (root) # diagnose sniffer packet any " host 192.168.37.150 or host 10.x.x.x"  4
 ****started ping  from 37.150 >10..x.x.x now***************
 interfaces=[any]
 filters=[host 192.168.37.150 or host 10.66.6.14]
 3.376838 port1 in 192.168.37.150 -> 10..x.x.x: icmp: echo request
 8.877053 port1 in 192.168.37.150 -> 10..x.x.x: icmp: echo request
 14.376863 port1 in 192.168.37.150 -> 10..x.x.x: icmp: echo request
 19.877578 port1 in 192.168.37.150 -> 10..x.x.x: icmp: echo request
 4 packets received by filter
 0 packets dropped by kernel
 
 So this indicates the firewall sees the traffic, not sure what else this tells me.
 
 second step;
 chifgt02 (root) # diagnose sniffer packet any " host 192.168.37.150 or host 10..x.x.x or arp"  4
 
 I see no references to 10..x.x.x 
 
 third step;
 chifgt02 (root) # diag debug enable
 
 chifgt02 (root) # diag debug flow filter add 192.168.37.150
 
 chifgt02 (root) # diag debug flow show console enable
 show trace messages on console
 
 chifgt02 (root) # diag debug flow trace start 100
 
 chifgt02 (root) # diag debug enable
 
 ****START PING NOW FROM 37.150 > 10.x.x.x***********
 
 chifgt02 (root) # id=36870 trace_id=1 msg=" vd-root received a packet(proto=1, 192.168.37.150:512->10.x.x.x:8) from por                                                                                       t1." 
 id=36870 trace_id=1 msg=" allocate a new session-000c8cd6" 
 id=36870 trace_id=1 msg=" find a route: gw-10.x.x. via meditech" 
 id=36870 trace_id=1 msg=" Allowed by Policy-114:" 
 id=36870 trace_id=1 msg=" enter IPsec interface-meditech" 
 id=36870 trace_id=1 msg=" No matching IPsec selector, drop" 
 id=36870 trace_id=2 msg=" vd-root received a packet(proto=1, 192.168.37.150:512->10.x.x.:8) from port1." 
 id=36870 trace_id=2 msg=" Find an existing session, id-000c8cd6, original direction" 
 id=36870 trace_id=2 msg=" enter IPsec interface-meditech" 
 id=36870 trace_id=2 msg=" No matching IPsec selector, drop" 
 
 4th step;
 I looked at my P2 Quick Mode Selector which is
 chifgt02 (meditech_2) # set dst-addr-type name
 
 chifgt02 (meditech_2) # set dst-name vpn_remote_meditech
 
 chifgt02 (meditech_2) # set src-addr-type name
 
 chifgt02 (meditech_2) # set src-name vpn_local_meditech
 
 I think this is my problem? I have seen people suggest to set these to 0.0.0.0/0.0.0.0 and filter at the policy but I think this will fail if the set up on the other side of the tunnel (which I don' t manage) is not the same. I deleted this P2 and created a new one with all 0s, this time the tunnel would not come up. The debug showed something to the effect of SA is not ready, sorry i didn' t save that output.
 
 I changed P2 back to 
 chifgt02 (meditech_2) # set dst-addr-type name
 
 chifgt02 (meditech_2) # set dst-name vpn_remote_meditech
 
 chifgt02 (meditech_2) # set src-addr-type name
 
 chifgt02 (meditech_2) # set src-name vpn_local_meditech
 
 Am I misunderstanding the Quick Mode Selector? I am wondering why it has a static source and static dst since it seems to me that i would need 2 selectors, one for each direction. I will re-read the guides and forum posts, but hopefully someone can tell me if I' m on the right track. 
 
 
 Thanks in advance
 
 
 
