Hello Shyams, Could you please let me know the other end device vendor ( other end of the tunnel). Also check PROXY-ID on both sides. Only Palo Alto and Juniper firewall take 0.0.0.0 /0 as a PROXY ID by default. If the other end is a different vendor BOX then you have to manually configure the PROXY-ID in order to pass traffic through tunnel. Details, Explanation about PROXY ID: The ID payload during IPsec phase-2 negotiation, contains the proxy identities on whose behalf the initiator does the negotiation. These are generally IP address subnets, but they can have more fields, such as port, too. In the case of a site-to-site IPsec set up with two gateways doing IPsec negotiations with each other, the proxy IDs are based on rules defined on the gateways that define what type of traffic is supposed to be encrypted by the peers ( specific source, destination, protocols). So, if you have multiple subnets to allow behind both VPN peers, there will be multiple SPI ( security parameter Index) to enhance the security and administrative control over the VPN tunnel. Thanks
... View more