Server-side tunnel policy
The server-side requires an explicit proxy policy that sets the proxy to wanopt. You must add this policy from the CLI and policies with proxy set to wanopt do not appear on the GUI. From the CLI the policy could look like the following:
configure firewall explicit-proxy-policy
edit 3
set proxy wanopt
set dstintf internal
set srcaddr all
set dstaddr server-subnet
set action accept
set schedule always
set service ALL
next
end