Two interfaces are used to connect to different internet providers, and are configured in different zones. A single IPSec gateway has been configured on one of those interfaces.
Logs show that ESP traffic is being dropped when the local firewalls opens the tunnel. When the remote site initiates the VPN connection, phase 1 fails and the tunnel never comes up
Issue
When two internet providers are used, there is a possibility for VPN traffic to arrive via either providers. For example, the tunnel will be established via the provider connected to the interface on which the gateway was configured to use, but return traffic might take a different path and be received by the other interface. Because both public facing interfaces are configured in different zones, if the tunnel was opened in one zone, return traffic received via another zone will be dropped because a session from that zone was never opened.
Resolution
To allow return traffic from another interface, two things can be done
Configure both public interfaces to be in the same zone
Use a loopback address in the same zone as the interface on which the gateway is configured on