IPSec NAT rules are not removed when a tunnel is disabled
After disabling an IPSec tunnel in the GUI the NAT rules in the phase2 entries are not removed and are still applied to traffic using that route in another IPSec tunnel.
This applies if the tunnel is disabled at the phase 2 or the phase 1 containing it.
NAT rules still appear in rules.debug.
Check whether the P2 or its associated P1 are disabled before adding NAT
rules. Ticket #5320
#1 Updated by Jim Pingle about 4 years ago
It appears the code in filter.inc is not checking for a disabled P1 or P2 when creating the NAT rules: