pfSense

vpn.inc makes the assumption that the LAN interface will have an IP address. In the case where it does not (for example where there is a bridge with the LAN interface as a member), vpn.inc appears to create two erroneous spdadd lines at the top of spd.conf which prevents the VPN tunnel from becoming established.

As a test, the follwoing lines in vpn.inc were changed from :

$lanip = get_interface_ip("lan");
        $lansn = get_interface_subnet("lan");

to
$lanip = get_interface_ip("bridge0");
$lansn = get_interface_subnet("bridge0");

after which the correct syntax spdadd lines are added to spd.conf and the VPN comes up as expected.

Maybe the correct action is to inspect bridges if the LAN address is null, to see if they contain the LAN interface as member and use their address details instead? (although $lanip, $lansn are only used as a failsafe it would appear to stop the user locking themselves out so that may be overkill..?)