Bring back local network SPD exclusions for IPsec
On 2.1.x and before, exclusions were added to prevent local traffic from entering IPsec, including traffic from the LAN network to the LAN interface and between other local networks. On 2.2 these have been removed.
Without these exclusions, it's impossible to have a functional tunnel that sends all traffic over IPsec (0.0.0.0/0 remote) or one that uses a summarized network remote (10.0.0.0/8 when the LAN is also a 10.x.x.x net).
I thought there was already a ticket for this but couldn't locate one. If the other one turns up, close this one and make sure the other is targeted for 2.2.2.