Traffic can fall into four "state" categories: NEW, ESTABLISHED, RELATED or INVALID
This rule will drop all packets with invalid headers or checksums, invalid TCP flags, invalid ICMP messages (such as a port unreachable, when we did not send anything to the host), and out-of-sequence packets which can be caused by sequence prediction or other similar attacks.
The invalid-checking rule is above the forward rules for each intra-zone forwarding, so it is not so easy to bypass it.
Could you post the configuration for both tunnels? You can mask any sensitive data, like keys and public addresses.
If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).