Traffic can fall into four "state" categories: NEW, ESTABLISHED, RELATED or INVALID
This rule will drop all packets with invalid headers or checksums, invalid TCP flags, invalid ICMP messages (such as a port unreachable, when we did not send anything to the host), and out-of-sequence packets which can be caused by sequence prediction or other similar attacks.
The invalid-checking rule is above the forward rules for each intra-zone forwarding, so it is not so easy to bypass it.
Could you post the configuration for both tunnels? You can mask any sensitive data, like keys and public addresses.