Found it! You need to set the local network in the phase 2 to be 0.0.0.0/0 not the LAN network or interface.

This string in ipsec log looks bad: Jan 4 22:15:07 charon 11[IKE] <con2000|152>IDir '213.132.56.218' does not match to '192.168.3.2'</con2000|152> What is evidently a consequence of setting and private IP as remote peer ID: Peer identifier = 192.168.3.2 Probably, you need to set Peer identifier = 213.132.56.218

It's not supported, and probably won't be. security folks are insisting we use ESP with Null encryption Those are not "security folks". If the equipment on the other end can't handle the encryption load, get better equipment.

@Derelict: firewall rules go on the interfaces the traffic arrives into. So connections from IPsec go on the IPsec tab. You'll have to post rues, IPsec settings etc. Hard to say what you have done wrong. Hello, and Happy New Year. Sorry for the late reply, but,  Christmas break and all.. Anyway just wanted to say that you pointed me in the right direction and was able to solve the problem. Many thanks! For those ending up here after searching for the same problem, here's how I resolved it based on Derelict's input. He may want to change some of the below however this is working for me now. If there is a Site to Site (S2S) VPN tunnel in place between, say, between Head Office (Site "A"), and a Branch Office (Site "B"), and you want your Mobile Clients to be able to connect to Site "A" remotely and see Site "B" you need to perform the additional setup: The idea here is that you need to take the traffic from the Mobile VPN client, that is destined for Site B's network, and: Tell Mobile Client's routing to pass Site B's LAN addresses over VPN. Hand it off to Site A's local LAN (Mobile Phase 2 entry on Site A) Site A's LAN's firewall needs to allow it, NATting the traffic to Site B's network. (IPsec firewall tab on Site A). Site A's LAN passes it along to Site A's VPN Tunnel (S2S VPN Phase 2 entry on Site A) Site B's VPN Tunnel passes it long to Site B's local LAN. (S2S VPN Phase 2 entry on Site B) In this example, we will use the following data: Mobile VPN client network: 172.16.10.0/24 Site A local LAN network: 10.5.0.0/16 Site B local LAN network: 10.6.0.0/16 SITE A: Additional Phase 2: Mobile Clients Navigate to VPN -> IPsec On the "Tunnels" tab, click "Show Phase 2" entries under "Mobile Clients". Create a new Phase 2 entry with the following settings: o Mode: Tunnel IPv4 o Local Network: 10.6.0.0/16 o Description: Whatever you want. EG: Sales Office LAN o Protocol: ESP o Encryption Algorithms: AES 256 bits o Hash Algorithms: SHA1, SHA256, SHA384, SHA512 o The rest is default. o Save and Apply. SITE A: Additional Phase 2: S2S VPN Add a new Phase 2 entry under your existing S2S VPN as follows: o Mode: Tunnel IPv4 o Local Network: Your Mobile VPN Network (EG: 172.16.10.0/24) o Remote Network: Your Site B LAN Network (EG: 10.6.0.0/16) o Encryption Algorithms: AES 256 bits o Hash Algorithms: SHA1 o The rest is default. o Save and Apply. SITE A: Firewall Rules Go to Firewall -> Rules, IPsec Tab Add a new rule below the existing one with the following settings: o Interface: IPsec o Address Family: IPv4 o Protocol: Any o Source: Network, your Mobile VPN Network (EG: 172.16.10.0/24) o Destination: Network, Your Site B LAN Network (EG: 10.6.0.0/16) o Save and Apply. SITE B: Additional Phase 2: S2S VPN Add a new Phase 2 entry under your existing S2S VPN as follows: o Mode: Tunnel IPv4 o Local Network: Your Site B LAN Network (EG: 10.6.0.0/16) o Remote Network: Your Mobile VPN Network (EG: 172.16.10.0/24) o Encryption Algorithms: AES 256 bits o Hash Algorithms: SHA1 o The rest is default. o Save and Apply. Mobile Client Setup You will need to tell your mobile client's OS to pass Site B's LAN traffic over your VPN connection. I will cover Windows 10 for this. Open a privileged Power Shell and: Add-VpnConnectionRoute -ConnectionName "PRP" -DestinationPrefix 10.6.0.0/16 -PassThru

All is good with a new Fritzbox 6590. The Thread can be marked as solved.

Several years after these pertinent remarks, it is sad to see that nothing has been done to make the log display readable. Happy new year anyway  ;D

Fixed that… Changed encryption to: AES-128-GCM / SHA256 / DH 14 and IPSec performance jumped to 877 Mbit/sec.

@Derelict: I don't know what "Office" is. What is the IPsec tunnel network or the remote networks? What is the Local LAN subnet? Hi Remote office network is 192.168.10.0/24 Local LAN is 192.168.25.0/24 I only want a couple of devices to have access via the VPN and be reachable from the VPN. These have been specified in the Office all Thanks

The both have to NAT if they also need to communicate with each other, btw.

@Derelict: Split tunneling is more to do with the client settings than the server. For instance in windows 10 I'm pretty sure you need to manually set that in powershell. At least in some versions. Sorry, no android here to test, and it too probably varies version-to-version. I had a feeling it may not be possible, i have just set up the internet to route through my VPN again (and tidied up my firewall rules a lot) Thanks for the help both of you :)