Site A required the following site-to-site VPN created.
The above was all created with ease and the VPN connection came up. Site A then requested that the ONLY service allowed over the VPN was "Ping".
The following 2 firewall rules were applied:
VPN -> VLAN ZONE
And the reverse for VLAN ZONE-> VPN
However, this didn't work and the following messges appeared in the logs when Site B tried to ping the server on Site A.
The problem was the VPN Zone doesnt implicity allow VPN traffic ! As you'll see in the above screenshot, port 1 is also being utilized. Looking at the services I could see that port 1 was actually ESP (IP Sec). Therefore you will have to allow the ESP (IPSec) service as well. I did this by creating a Service Group called VPN Services which included PING & ESP (IPSEC) and allowed it both ways.