That much better explanation. Thanks mrzActual reason for this rule is that packets that should match ipsec policy must not be masqueraded. Masquerade will change source address and packets will fail to match against ipsec policy.
@nichky Best would be to check your detailed logs from both server and client. There will be your "unknown" reason written. It is highly possible that you don't have enabled such logging, so you will need to add logging actions for topics "ipsec" and "l2tp" (one action for each topic) and once your disconnection happens, check what does it say.