Site A required the following site-to-site VPN created.  

The above was all created with ease and the VPN connection came up. Site A then requested that the ONLY service allowed over the VPN was "Ping".

The following 2 firewall rules were applied:

VPN -> VLAN ZONE

And the reverse for VLAN ZONE-> VPN

However, this didn't work and the following messges appeared in the logs when Site B tried to ping the server on Site A.

 

Answer:

The problem was the VPN Zone doesnt implicity allow VPN traffic ! As you'll see in the above screenshot, port 1 is also being utilized. Looking at the services I could see that port 1 was actually ESP (IP Sec). Therefore you will have to allow the ESP (IPSec) service as well. I did this by creating a Service Group called VPN Services which included PING & ESP (IPSEC) and allowed it both ways.