IPSEC VPN Up But No Traffic Between Networks

Device: ERL3 Lite

Firmware:1.8

I have setup an IPSEC VPN to our cloud provider but am having issues getting traffic to pass. When I set it up in the GUI, the VPN would never connect. I ended up deleting the VPN config and adding it in the CLI according to this document, https://help.ubnt.com/hc/en-us/articles/205203170. Of course some of the commands weren't accepted so I had to figure out which ones to replace, such as the remote and local subnet, it is no longer 'subnet' it's 'prefix'. But I digress... Been very frustrating just getting the tunnel up. 

I have setup the VPN, setup allow rules and added in a NAT exclusion, which I see the traffic hitting but it's not getting to the other side. 

From the UBNT, I can ping everything on the cloud provider and I can ping eth2 on the UBNT from the cloud provider but that is it. No traffic from any local machines can see the cloud servers at all and none of the cloud servers can see anything but the UBNT. 

This is my first time using an UBNT router so I'm not sure what I am missing, the setup on these are different than I am used to. Below are the configs. 

admin@UBNT:~$ show configuration
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PRIVATE_NETS {
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 40 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
enable-default-log
rule 1 {
action accept
description VPN
destination {
address 192.168.101.0/24
}
ipsec {
match-ipsec
}
log enable
protocol all
source {
address 10.2.72.0/24
}
}
rule 2 {
action accept
description "VPN In"
destination {
address 10.2.72.0/24
}
ipsec {
match-ipsec
}
log enable
protocol all
source {
address 192.168.101.0/24
}
}
rule 3 {
action accept
description "Allow Ping"
destination {
address 0.0.0.0/0
}
log disable
protocol icmp
source {
address 0.0.0.0/0
}
}
rule 4 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 5 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
enable-default-log
rule 1 {
action accept
description VPN
destination {
address 192.168.101.0/24
}
ipsec {
match-ipsec
}
log enable
protocol all
source {
address 10.2.72.0/24
}
}
rule 2 {
action accept
description "VPN In"
destination {
address 10.2.72.0/24
}
ipsec {
match-ipsec
}
log enable
protocol all
source {
address 192.168.101.0/24
}
}
rule 3 {
action accept
description "Allow established/related"
log enable
state {
established enable
related enable
}
}
rule 4 {
action accept
description "Allow Ping"
destination {
address 0.0.0.0/0
}
log enable
protocol icmp
source {
address 0.0.0.0/0
}
}
rule 5 {
action accept
description Remote_Management
destination {
port 80,443,22
}
log enable
protocol tcp
source {
address 65.xxx.xxx.0/24
}
}
rule 6 {
action drop
description "Drop invalid state"
log enable
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 50.xxx.xxx.5/30
description "Internet - WAN"
duplex auto
firewall {
in {
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address dhcp
description "Internet - WAN 2"
disable
duplex auto
firewall {
in {
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
address 10.2.72.1/24
description Local
duplex auto
firewall {
in {
modify balance
}
}
speed auto
}
loopback lo {
}
}
load-balance {
group G {
interface eth0 {
}
interface eth1 {
}
}
}
protocols {
static {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name 10.2.72.0 {
authoritative disable
subnet 10.2.72.0/24 {
default-router 10.2.72.1
dns-server 192.168.101.66
dns-server 75.75.75.75
lease 86400
start 10.2.72.50 {
stop 10.2.72.200
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth2
}
}
gui {
https-port 443
}
nat {
rule 5000 {
description "IPSEC Exclude"
destination {
address 192.168.101.0/24
}
exclude
log enable
outbound-interface eth0
protocol all
source {
}
type masquerade
}
rule 5001 {
description "masquerade for WAN"
destination {
}
log enable
outbound-interface eth0
protocol all
source {
}
type masquerade
}
rule 5002 {
description "masquerade for WAN 2"
outbound-interface eth1
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
gateway-address 50.xxx.xxx.6
host-name UBNT
login {
user admin {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 75.75.76.76
name-server 75.75.75.75
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi disable
export enable
}
}
vpn {
ipsec {
disable-uniqreqids
esp-group vpntunnel {
compression disable
lifetime 1800
mode tunnel
pfs disable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group vpntunnel {
lifetime 28800
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
logging {
log-level 2
}
nat-traversal disable
site-to-site {
peer 50.xxx.xxx.68 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
default-esp-group vpntunnel
ike-group vpntunnel
local-address 50.xxx.xxx.5
tunnel 1 {
esp-group vpntunnel
local {
prefix 10.2.72.0/24
}
remote {
prefix 192.168.101.0/24
}
}
}
}
}
}