Auto-added IPsec rules overmatch in some circumstances
The auto-added IPsec rules over-match in some situations, primarily where using mobile IPsec. For instance if you have mobile IPsec enabled on a system that has IPsec endpoints behind it (usually an edge system that doesn't NAT), their ISAKMP and ESP traffic will hit the mobile route-to/reply-to pass rules and will leave the wrong WAN if mobile IPsec is enabled on a different interface.
Use self rather than any in auto-added IPsec rules to prevent
over-matching. Ticket #5211