Unfortunately still no luck.
I confirmed the following, where "auto-firewall-nat-exclude" is enabled:
vpn {
ipsec {
auto-firewall-nat-exclude enable
disable-uniqreqids
esp-group vpntunnel {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption aes256
hash sha1
}
As suggested, I have added the following to WAN_IN as the last of four runes:
rule 40 {
action accept
description "Allow ipsec encrypted"
destination {
address 72.13.6.0/24
}
ipsec {
match-ipsec
}
log disable
protocol all
source {
address 192.168.2.0/24
}