Andrew

Maybe something like `meta ipsec exists` `meta ipsec missing` ?

Also `meta secpol 0|1` might be related, check if combination works. Proper chain-prepend is to make a file like this, repeating hook spec of particular chain. The dynamic zone chains...

Probably worth researching how to integrate rules into firewalld and amending strongswan docs with Your translation.

multiple interfaces - prepend rulw iif {$wan_devices, $wwan_devices } filter your way. There is no "multiple source zones" option in fw4

@jow- this can be closed, ipsec policy was never instrumented in fw3 fw4, just summary consultation how to properly translate old format additional rules.

cert defaults are present since lede v17, year 2017. You can restore undamaged file from /room and then customize with uci to your liking.

Crucial detail - if and what transceiver is connected to each.

Can you answer the question? Do you get ghost transceiver when nothing is plugged? Is it zyxel transceeiver? Other major brand? 10 bucks from ali?

Your log is normal boot, could you produce one relevant to the issue you describe and edit away irrelevant excessive log?

Experiment 1: OK, it says no cable connected anywhere. while with serial run `logread -f` and plug cable end in all ports (wan and one lan) to see if any...