I have two sites A and B, connected by an automatic IPSEC site-to-site link. Site A has the OC200 controller. Everything seems to work fine.

I also have client-to-site OpenVPNs set up to connect remote users to both sites when needed. 

Now I want to connect a second site-to-site VPN to site B, to connect to a client's network.

However when I go to create a manual site-to-site ipsec VPN, I always get an error message that 'The local subnet and remote subnet cannot overlap with those of existing Ipsec VPN policies.'

I understand that the remote subnets need to not overlap (although as other posters have noted, that rule should really only be enforced at the time that the VPN is enabled, so you can switch between multiple similar configurations).

But it seems to be also expecting the local subnets to be unique, which seems unnecessary - the whole point of a VPN is to route traffic between your local network and a remote location. You'd expect the local subnet to be the same for most of your VPNs, wouldn't you?

If I create a second LAN with a different subnet, and configure the VPN to use that as the local network, then I can add the VPN configuration ok. Which confirms that the problem is having the same local subnet on two IPSEC configs. I might be able to make that work in my case, but since the default LAN network insists on also hogging untagged traffic on every LAN port, I suspect I'm also going to have to add a managed switch that can tag the traffic. 

There is so much that is so good about the Omada environment, but it seems like it keeps failing on even fairly simple use cases. 

Anyone have any ideas what I'm doing wrong, or have any workarounds?