There are two things you should check here:
- You should permit IPsec traffic on the zone-pair for your outside zone to the self zone, this is needed for the security association.
- Make sure the traffic that goes through the VPN is also permitted in your zone-pair(s).
For example, let’s say your router has an INSIDE, OUTSIDE and SELF zone. Your local network is 192.168.1.0/24 and the remote network is 192.168.2.0/24.
You will need one zone-pair for OUTSIDE_TO_SELF that permits isakmp, something like this:
ip access-list extended ISAKMP_IPSEC
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp
For the VPN traffic, you will need a zone pair for INSIDE_TO_OUTSIDE that inspects traffic. This will only allow VPN traffic if it is originated from the 192.168.1.0/24 network. It might be better to create two zone-pairs:
Instead of using inspect, use regular permits. Something like:
access-list extended LAN1_LAN2 permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list extended LAN2_LAN1 permit 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Attach LAN1_LAN2 to the INSIDE_TO_OUTSIDE zone-pair with a permit and LAN2_LAN1 to OUTSIDE_TO_INSIDE with a permit.
Hope this helps, if not let me know and I’ll see if I can post a complete configuration example.