Phenomenon: in the USG5300 the “dis Ike sa” tunnel can be established, but the internal network address can't mutual access.
1, because tunnel can be built, so the ipsec configuration has no problem
2, there is no port fast convert command in USG5300 interface
3, in the NAT outbound ban the flow which is interested by ipsec, problem solving.
1, configuration problem
2, port fast convert didn’t close
3, in the NAT outbound didn’t ban the flow interested by ipsec
Conclusion: packets pass through firewall, must match NAT outbound firstly, then match VPN tunnel. So when configuring ipsec VPN, need to ban VPN private network data flow in the NAT outbound.