USG at branches of routed IPsec via vti interfaces with BGP not working in fully symmetrical manner

Hello,

I am here to deal with a bit strange problem. I have configured IPsec VPN between Fortinet Fortigate acting as a VPN hub with public IP address, and USG20-VPN as a hidden branch witch only a private IP address.

I used verified configuration on Fortigate side (Dial-Up IPsec with addressed interface) and started to play with IPsec parameters on USG side. I configured VPN Gateway, VPN connection, VTI Interface, BGP and also a Policy route. Tunnel is up and running.

BGP routes are exchanges between VTI at USG and tunnel interface at Fortigate. VTI of USG is not pingable from Fortigate, but Fortigate interface is pingable from USG.

I am able to ping server at HQ (Fortigate side) from computer at branch (USG side), so the connection estabilished from branch side is working properly (also RDP and other protocols are working). But I am not able to ping from HQ to branch - connection initiated from HQ is not working.

After a few days of searching over, playing with parameters and reconfiguring number of setups (also policy based variant behaves in the same way) I am at the end of ideas.

Is there something that I miss?

Thanks anybody for reply.