Hello spuluka,
Route and policies were set for the 3 sites. But the ping are still timeout.
The interesting thing is all 3 sites firewall logs shows the pings are allow with correct zone/subnet/workstation's IP and use the correct policy. For example, I ping from siteA to siteB. SiteB logs show there are ping from siteA and is allow.
But the workstation in siteA (e.g. Windows cmd) show timeout. I suspect the ping response back from siteB to siteA require hairpin NAT.
All 3 firewall are using route based VPN. Proxy-ID not set as it is not necessary for the current setup.