yup.. Spent 1 day with a possible bug.. when creating a policy with
IPSEC, in the GUI I enabled the checkbox that the remote end can
initiate the VPN (as usual), but in the CLI for that same policy the
enable outbond was set to disable... so he could...