FG 620B 4.0 MR2 patch 1 Interface mode IPsec Trying to bring IPsec tunnels up. the monitor show the tunnel is up. No traffic (echo) is passing. First step was; chifgt02 (root) # diagnose sniffer packet any " host 192.168.37.150 or host 10.x.x.x" 4 ****started ping from 37.150 >10..x.x.x now*************** interfaces=[any] filters=[host 192.168.37.150 or host 10.66.6.14] 3.376838 port1 in 192.168.37.150 -> 10..x.x.x: icmp: echo request 8.877053 port1 in 192.168.37.150 -> 10..x.x.x: icmp: echo request 14.376863 port1 in 192.168.37.150 -> 10..x.x.x: icmp: echo request 19.877578 port1 in 192.168.37.150 -> 10..x.x.x: icmp: echo request 4 packets received by filter 0 packets dropped by kernel So this indicates the firewall sees the traffic, not sure what else this tells me. second step; chifgt02 (root) # diagnose sniffer packet any " host 192.168.37.150 or host 10..x.x.x or arp" 4 I see no references to 10..x.x.x third step; chifgt02 (root) # diag debug enable chifgt02 (root) # diag debug flow filter add 192.168.37.150 chifgt02 (root) # diag debug flow show console enable show trace messages on console chifgt02 (root) # diag debug flow trace start 100 chifgt02 (root) # diag debug enable ****START PING NOW FROM 37.150 > 10.x.x.x*********** chifgt02 (root) # id=36870 trace_id=1 msg=" vd-root received a packet(proto=1, 192.168.37.150:512->10.x.x.x:8) from por t1." id=36870 trace_id=1 msg=" allocate a new session-000c8cd6" id=36870 trace_id=1 msg=" find a route: gw-10.x.x. via meditech" id=36870 trace_id=1 msg=" Allowed by Policy-114:" id=36870 trace_id=1 msg=" enter IPsec interface-meditech" id=36870 trace_id=1 msg=" No matching IPsec selector, drop" id=36870 trace_id=2 msg=" vd-root received a packet(proto=1, 192.168.37.150:512->10.x.x.:8) from port1." id=36870 trace_id=2 msg=" Find an existing session, id-000c8cd6, original direction" id=36870 trace_id=2 msg=" enter IPsec interface-meditech" id=36870 trace_id=2 msg=" No matching IPsec selector, drop" 4th step; I looked at my P2 Quick Mode Selector which is chifgt02 (meditech_2) # set dst-addr-type name chifgt02 (meditech_2) # set dst-name vpn_remote_meditech chifgt02 (meditech_2) # set src-addr-type name chifgt02 (meditech_2) # set src-name vpn_local_meditech I think this is my problem? I have seen people suggest to set these to 0.0.0.0/0.0.0.0 and filter at the policy but I think this will fail if the set up on the other side of the tunnel (which I don' t manage) is not the same. I deleted this P2 and created a new one with all 0s, this time the tunnel would not come up. The debug showed something to the effect of SA is not ready, sorry i didn' t save that output. I changed P2 back to chifgt02 (meditech_2) # set dst-addr-type name chifgt02 (meditech_2) # set dst-name vpn_remote_meditech chifgt02 (meditech_2) # set src-addr-type name chifgt02 (meditech_2) # set src-name vpn_local_meditech Am I misunderstanding the Quick Mode Selector? I am wondering why it has a static source and static dst since it seems to me that i would need 2 selectors, one for each direction. I will re-read the guides and forum posts, but hopefully someone can tell me if I' m on the right track. Thanks in advance