@spearhead1 As you say that both phase 2 SA are connected, can you see packets going out when you go to Status / IPsec / Overview and click on + Show chiild SA entries?
If not, can you see the unencrypted traffic coming from 10.225.172.0/24 in a packet capture?
If yes, can you confirm that this is the right traffic by doing a packet capture on the IPsec interface?