@Otavio_Rievert 

Setting up a VPN to a UCG is quite simple, you have to make sure that you use a route based on the UCG, you should also not create any manual routing on the UCG, many people make this mistake and the tunnel does not work.

set up the UCG like this and it works.

  @MR.S 

Hi Mr, I just have the same settings like your print.

But the connection still refuses to go up.

The print below show my UCG:

Next is the ER605:

I Already tries we all combinations and the local and remote IDs in auto and not auto.

  @Otavio_Rievert 

And both have public ip on wan interface? no manual route added on UCG or ER605?

  @Otavio_Rievert 

Double check your phase 2 setting - you have DH14 selected as phase two but Mr.S recommended DH5 of phase 2

Also, do you have the ER605 as the Initiator ?  its just set as responder in your screenshot and if both are responders they will never connect

  @GRL 

unifi is not so good at IPsec there is also very little configuration, for example you can't choose local network, only remote network. so all VLANs will go in the tunnel it causes a lot of trouble for Cisco and Mikrotik routers that see these VLANs in VPN and create error messages in the log all the time. you can't choose Initiator Mode or responder mode either. also all unifi routers are painfuly slow with IPsec, even UXG-Enterprise.

@Otavio_Rievert 

you also have to make sure that the wan IP is tied to the VPN tunnel, I have had some problems with the WAN ip suddenly not being connected to the VPN interface.

  @MR.S 

About the public IP, the ER605 have a DMZ and Nat, on the ESP router I define the dmz and the port forwarding. The UCG have his public IP.

About the UCG I have to disable all the vlans, the point you make about him put all lans on the ipsec make a big mess on the configs.

I think, maybe the problem is with the Remote_ID|Local_ID, but have already tries every combination on these settings too.

@GRL, I set the DH like MR.S have recommended, but got the same results.

  @Otavio_Rievert 

if you have ER605 behind NAT then you have to set it to be initiator. local id name on ER605 you set to Eg ER605, on UCG you have to set Remote Authentication ID to ER605, it should work.

you don't have to disable any VLAN on UCG. ER605 works anyway.

  @MR.S 

So in the Local ID I have to set to NAME and what name? Like fqdn of the wan link or like "Local_ID" like shows in some docs?

And on the UCG side, set the Remote Authentication ID the same right?

  @Otavio_Rievert 

set whatever you want, but you must have the same name on both routers, set for example ER605 or 1234

  @Otavio_Rievert 

here is an example that I made now, it is an ER707-M2 behind NAT that has VPN to a UX7 with public IP