Re: GUI IPSec Site to Site not going up. ERL to ERX

So I've now resigned to the fact that the GUI site to Site VPN doesn't work.

But I found that all I needed to add was the following lines with # in front of them below. Plus delete the auto-firewall-nat-exclude enable. Then manually add a NAT exclusion in my NAT config (did it in the GUI) 

ubnt@ori# show vpn
 ipsec {
     esp-group FOO0 {
#	compression disable
#	lifetime 3600
#	pfs enable
         proposal 1 {
             encryption aes128
             hash sha1
         }
     }
     ike-group FOO0 {
#	lifetime 28800
  #       proposal 1 {
             dh-group 14
             encryption aes128
             hash sha1
         }
     }
#	ipsec-interfaces {
#		interface pppoe0
	}
     site-to-site {
         peer remote-site.sytes.net {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret topsecret
             }
         #  connection-type respond
             description "SJA VPN"
             ike-group FOO0
             local-address local-site.sytes.net
             tunnel 1 {
	#	allow-nat-networks disable
	#	allow-public-networks disable
                 esp-group FOO0
                 local {
                     prefix 10.0.1.0/24
                 }
                 remote {
                     prefix 10.0.2.0/24
                 }
             }
         }
     }
 }

Did similar changes to the remote site. bingo bango VPN tunnel came up after around 15 seconds. I could ping the remote router from the local router, but couldn't ping devices on their side of the tunnel and my PC couldn't ping the remote router.

Found out later, because I setup loadbalancing\failover in my routers I have to execute this command on each router

 /usr/sbin/ubnt-add-connected.pl

from the CLI and then my VPN tunnel was fully operational! Huzzah.