IPsec Policy AND Route-based issues (& manual correction)

[Wuschy]

Dears,
I have a question (and Issues -.-) with Route-Based IPsec setup.
First of all, I assume, that the Manual (https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-route.html) is wrong at the Routes part: there it is stated, that on Site A the network address 10.0.2.0 (which additionally might be a typo as 10.2.0.0 was used) should be set... but 10.2.0.0 is the address of Site A and if one does... this kills the system (I tried in a third shot, as I am unable to get my VPN tunnel working)

For my issue (if anyone is willing to help): I've followed the instructions to 100% with one exception: my site B has no static public IP address... the rest has been kept as stated... (but I also have working policy-based Tunnels on Site A)

So as soon as I provide a Gateway, Site B tries to retransmit: "retransmit 1 of request with message ID 0" and Site A unregisters "05[CFG] vici client 2 unregistered for: list-conn" and finally disconnects... :((

A policy-based Tunnel has been created before as well, but I couldn't figure out how to fix the MTU issue... as soon as a package with a certain size hit the tunnel, the tunnel kept "connected", but no traffic flew through anymore... (tried all the normalization stuff :/)
therefore I tried to give the route-based tunnel a try... without luck as well -.-

Setup:
Site A, OPNsense 24.7.10_2-amd64 on FreeBSD 14.1-RELEASE-p6 (virtualized System) with a static public IP
Site B, OPNsense 24.7.10_2-amd64 on FreeBSD 14.1-RELEASE-p6 (Zima-Board) with a SIM-Card Router and non-static, non-public (incoming) IP / behind NAT

as stated... configured 1:1 like stated in the manual except the static IP parts

any help is highly appreciated!

[Wuschy]

Update:
I've today tested a different setup with another system (Raspberry) and again the policy-based Tunnel.
The same happens here, as soon as I send a package from a certain size, the tunnel itself stays up, but no data is sent through it. Even after changing the Interface MTU size to a very low number (1000), nothing changes in the specific behavior. The problem might be caused by the Mobile-Internet provider.
When I (without active VPN tunnel) lower the MTU on the interface, the "gap" still applies: For example, when Interface MTU is set to 1500, I am able send pings up to 1472. Proceeding lowering the MTU to 1472, I am able to send pings up to 1444:
ping 8.8.8.8 -M do -s 1445
PING 8.8.8.8 (8.8.8.8) 1445(1473) bytes of data.
ping: local error: message too long, mtu=1472
Anyone knows how I can fix this issue to get my VPN tunnel stable?

Another Update:
Seems to be an OPNsense Issue... I've "extended" my setup:
Site A, Modem <-> OPNsense 24.7.10_2-amd64 on FreeBSD 14.1-RELEASE-p6 (virtualized System) with a static public IP
Site B, SIM-Card Router and non-static, non-public (incoming) IP / behind NAT
<-> OPNsense 24.7.10_2-amd64 on FreeBSD 14.1-RELEASE-p6 (Zima-Board)
<-> additionally a Raspberry Pi with a policy-based IPsec Client

I am "able" to send large pings from my Raspberry, which tells me, that they are too large and can't be fragmented (but the tunnel keeps working properly)
If I send it from my Site-A OPNsense, the tunnel gets destroyed as well. So whenever the sending goes over the OPNsense's, it destroyes the tunnel.
I've even added esp_Frag and Fragmentation = yes via a custom config without any effect... normalizations didn't have any effect at all........

so any help regarding this OPNsense issue would be great :(

Last Update:
As noone was able to help and I'd wasted too much time on this issue, I switched to WireGuard S2S VPN Tunnel... which is a pitty as my clients use IPsec... but nevertheless, WireGuard works flawless