1. The USG2130 can ping through PC2, no matter whether it has a source IP address (PCI Gateway). However, PC1 cannot ping through PC2.
2. Tunnels of display ipsec sa and display ike sa are normally established.
1. Check the IPSec configuration of the device. The configuration is correct.
2. Check whether the PC1 gateway is on the intranet of the USG2130.
3. Run the debug ipsec all command. It is discovered that the packets sent by PC1 are directly forwarded without being encrypted.
Run the undo ip fast-forwarding qff command to disable the EF function on the intranet interface.
1. The IPSec VPN is not correctly configured on the USG2130 and SRG.
2. PC1 is not configured with the NMS, or the NMS of PC1 is not on the USG2130.
3. The Express Forwarding (EF) function is not disabled on the USG2130.
For the IPSec VPN on low-end devices, you are advised to disable the EF function.
undo ip fast-forwarding qff