It seems you lack some bits of how IPsec works and hence how the related elements of the configuration depend on each other.
In the mode-config at the responder (main site router), you specify
- the address to be assigned to the initiator (it is sufficient that you assign a /32, so the address-prefix-length=30 doesn't help anything).
- the subnet(s) which the initiator should reach via the IPsec SA - if you don't specify anything, it's the whole internet (0.0.0.0/0), if you specify a list of subnets in the split-include parameter of the mode-config row, only these subnets will be sent to the initiator as destination subnets reachable through the SA.
The initiator uses this information to assign its own address, and to create traffic selectors for IPsec policies. For each subnet in the
split-include list, one traffic selector is created, where that subnet is at the destination side and the own address is at the source side. The policy is only generated at initiator side if there is a policy template available in the policy template group at the initiator side whose both src-address and dst-address are supersets of the ones of the traffic selector requested, otherwise the policy generation fails with an error.
The initiator sends the traffic selector to the responder, which looks for a matching policy template at its own side, except that the roles of source and destination are swapped.
So your log from initiator side shows that the initiator asks for 192.168.99.254/32 at its side (own address assigned from the pool at responder side) and 192.168.99.0/24 at responder side (the only subnet in the
split-include list), but as no matching template is available at responder side for the initiator's identity (as your configuration export from the main site reveals), a policy cannot be created at responder side, so the responder sends TS_UNACCEPTABLE and Phase 2 negotiation fails.
If you want to give each outer router always the same IP address using the mode-config, you must use one identity row per each outer router, on which the
remote-id must be specified to match the
my-id configured at the outer router in the identity row representing the main router. For each such identity at the main router, there must be an individual mode-config row where a single address for the client is configured. But all these identities may use the same policy template group, which may contain just a single template if you make it wide enough to cover the complete range of initiator addresses (192.168.99.0/24) as
dst-address, and its src-address is a superset of all elements of the split-include list (here, 192.168.99.1/32 is enough as written earlier).
If you don't mind that the outer routers get random addresses from the pool, a single identity for all of them is enough (but if something else connects to the same peer and knows the shared secret, it will get an address too), but as in that case each GRE tunnel will connect to a random outer router, the outer routers have to advertise their LAN subnets by means of a dynamic routing protocol to the main router via the tunnel. However, I'm not sure whether there are dynamic routing protocols which can work over PPP tunnels without having an IP address assigned to their end of the tunnel, so you might then need a script to take the last byte of the address assigned using mode-config and use it as a last byte of an address with a different prefix (such as 192.168.98) to assign to the GRE interface, and another script doing the same at the main router so that it could translate the IP address of the remote end to the name of the interface. So one (identity, mode-config) pair per outer router seems to be a far simpler solution to me. With L2TP, you don't need a script for this, because address assignment from server to client is embedded into L2TP. But also here, you may assign IP addresses and routes statically to the clients based on their identity (in this case, the username) instead of giving them random addresses and then using dynamic routing protocols to update the routing.