Best Of

To ping from office1 to office2 you need

firewall rule on Office 2

from IPSec_VPN

to LAN1

firewall rule on Office 1

from LAN2

to IPSec_VPN

I don't get why you can't ping from office2 to office1

do you get logs in office 1?

Little hint: scoop deep into Security Policies before design editing ;)

You could use one port on Zywall and VLAN the other subnets on it each with their own zone

So. ge2 should communicate with ge8. Am I correct?

As most firewalls softwares, Zyxel ZLD have on top of interfaces an "higher" level of grouping called "zones". Into Zyxel devices, the default names should be Lan1, Lan2, DMZ, Guest; some devices have Wireless zone too, but don't quote me on that.
You can identify that into Security Policies: you are asked for zones, than interfaces, than "ip objects" like ranges, subnets, ip, whatever.

You can also see the zone assigned to the interface editing the interface itself; unfortunately as default, Zyxel assigne the same name for interfaces and zones but whatever. You can assign more interfaces on the same zone, but only one zone for any interface.

As default setting, LAN1 and LAN2 zones are allowed to communitate without hassle. Routing is automatically defined when editing the interfaces and their ip address, and the policy is there. So maybe assigne ge2 as LAN1 and ge8 as LAN2 zone, if security policy was not completely zapped away, should do the trick.
Zones can be customized and can be added but only when interfaces are available. Zyxel firmwares consider "interfaces" also vLANS and more things".
This… at least as fast explaination.

Otherwise, if you want on the same subnet ge2 and ge8 (would get rid of the necessity of security policy and routing policy between these two) you have to create a bridge between them, but long story short I strongly advise against that choice.

I'd love to see the outcome of your issue, if possible.

Have a lot of fun, your setup seems really promising from the devices here shared.