You would use separate P2 entries for each subnet. Though you could combine the 172.x.x.x as 172.16.0.0/14 which would cover both 172.17 and 172.18, so long as it doesn't conflict with anything else you are doing. Alternately, use routed IPsec then you don't need to worry about tunnel mode policies at all.

You can't use subnets contained inside your VPC subnet anywhere but the VPC itself. Use something outside of that for the other side of the VPN. Sorry. That's just the way AWS works, as you can see from that error message.