SR66 and ER router are unable to communicate after IPSec was established

1. Check IKE SA and Ipsec SA, both of which have been established normally: 

<SR6602>dis ike sa
    total phase-1 SAs:  2
    connection-id  peer                    flag        phase   doi
  ----------------------------------------------------------------
     15            211.X.X.12           RD|ST       1       IPSEC
     17            222.X.X.92          RD          1       IPSEC
     16            211.X.X.12           RD|ST       2       IPSEC
     18            222.X.X.92          RD          2       IPSEC

<SR6602>dis ipsec sa
===============================
Interface: GigabitEthernet0/0/1
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "bfy2"
  sequence number: 1
  acl version: ACL4
  mode: isakmp
  -----------------------------
    PFS: N, DH group: none
    tunnel:
        local  address: 121.X.X.222
        remote address: 211.X.X.12
    flow:
        sour addr: 192.168.35.0/255.255.255.0  port: 0  protocol: IP
        dest addr: 192.168.2.0/255.255.255.0  port: 0  protocol: IP

    [inbound ESP SAs]
      spi: 0xA1DA1B76(2715425654)
      transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5
      in use setting: Tunnel
      connection id: 3
      sa duration (kilobytes/sec): 1843200/3600
      sa remaining duration (kilobytes/sec): 1843154/3063
      anti-replay detection: Enabled
        anti-replay window size(counter based): 32
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs]
      spi: 0xA7135208(2803061256)
      transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5
      in use setting: Tunnel
      connection id: 4
      sa duration (kilobytes/sec): 1843200/3600
      sa remaining duration (kilobytes/sec): 1843106/3063
      anti-replay detection: Enabled
        anti-replay window size(counter based): 32
      udp encapsulation used for nat traversal: N
===============================
Interface: GigabitEthernet0/0/1
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "bfy2"
  sequence number: 2
  acl version: ACL4
  mode: isakmp
  -----------------------------
    PFS: N, DH group: none
    tunnel:
        local  address: 121.X.X.222
        remote address: 222.X.X.92
    flow:
        sour addr: 192.168.35.0/255.255.255.0  port: 0  protocol: IP
        dest addr: 192.168.1.0/255.255.255.0  port: 0  protocol: IP

    [inbound ESP SAs]
      spi: 0x96C45E7B(2529451643)
      transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5
      in use setting: Tunnel
      connection id: 5
      sa duration (kilobytes/sec): 1843200/3600
      sa remaining duration (kilobytes/sec): 1843189/3067
      anti-replay detection: Enabled
        anti-replay window size(counter based): 32
      udp encapsulation used for nat traversal: N
               
    [outbound ESP SAs]
      spi: 0x8357A1BE(2203558334)
      transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5
      in use setting: Tunnel
      connection id: 6
      sa duration (kilobytes/sec): 1843200/3600
      sa remaining duration (kilobytes/sec): 1843200/3067
      anti-replay detection: Enabled
        anti-replay window size(counter based): 32
      udp encapsulation used for nat traversal: N

2. Check the route of the headquarters, and it is normal  

===============display ip routing-table===============
============================================================
Routing Tables: Public
 Destinations : 23 Routes : 23

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

0.0.0.0/0           Static 60   0            121.X.X.217   GE0/0/1

3. The ipsec policy configuration of the headquarters is as follows. According to the client"s feedback, after the exchange of 1 and 2 of bfy2, the business of branch 1 will pass, but 2 will not.

      ipsec policy bfy2 1 isakmp
      security acl 3001
      ike-peer xiamen
      transform-set xiamen
    #
      ipsec policy bfy2 2 isakmp
      security acl 3002
      ike-peer 8yuan
      transform-set 8yuan
    #

4. View the interest streams of the two branches:  

acl number 3001
    description bfy---xiamen
    rule 0 permit ip source 192.168.35.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
    rule 2 deny ip
    acl number 3002
    description bfy---bky(8yuan)
    rule 10 permit ip source 192.168.35.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
    rule 20 deny ip
   #