Outbound IPsec rules do not exclude WAN subnet
Either the rules need adjusted or we're missing the patch that automatically excludes WAN subnet traffic from route-to.
Default rules for IPsec outbound look like so:
pass out log on $WAN route-to ( em0 192.168.2.1 ) proto udp from any to 192.168.2.5 port = 500 tracker 1000104251 keep state label "IPsec: My Tunnel - outbound isakmp"
The packets are delivered to the gateway instead of directly to the target system, which will often break.
The firewall rules in general do have an exclusion:
pass out log route-to ( em0 192.168.2.1 ) from 192.168.2.8 to !192.168.2.0/24 tracker 1000003811 keep state allow-opts label "let out anything from firewall host itself"