First, you need to be familiar with the default configurations of the USG series firewall. For example, the USG adopts dh group1 (768 bits). The encryption algorithm is DES, and the authentication algorithm is sha1. If phase 1 fails, you need to change dh to group2 (1024 bits), encryption algorithm to 3DES, and authentication algorithm to MD5. Second, the PFS is optional for the USG series, but it is mandatory in certain peer vendors' products to enhance the security. You need to test the PFS in following scenarios: when it is impossible to check the default configurations of peer vendors' products, if the negotiation phase 1 succeeds but phase 2 fails, and when no fault in USG configurations account for the failure. Finally, before configuring the VPN, you need to disable the express port forwarding of the ingress.