Mobile IPsec 'pass out' rules overmatch
The 'pass out' rules for UDP 500 and 4500 and ESP over-match in mobile IPsec scenarios. The route-to ends up breaking connectivity for hosts on internal networks whose egress IPsec traffic leaves via a different WAN than the one the mobile P1 is bound to. So if you have mobile IPsec on WAN2, and your LAN hosts leave WAN1, when a LAN client tries to connect to an outside IPsec server, it'll end up with WAN1's source IP but leave via WAN2.
The pass out is unnecessary for mobile since it never initiates traffic outbound. The auto-added rules for site to site VPNs match the specific remote endpoint's IP, so they don't overmatch.