My question is similar to this thread Exclude CPM traffic from implied rules however I have a 77.30 GW on-prem with a VPN to an R80.10 AWS vSec instance. Both are managed by different managers. So when the traffic is initiated from my management client behind the 77.30 GW, it encrypts. When it gets to the 80.10 GW it "accepts" and doesn't decrypt. So I followed the thread above where I commented out ENABLE_CPMI, but no change. Encrypt on the on-prem side (I did not change anything there) and accept on rule zero at AWS.
Here is my implied_rules.def