Почему ipsec требует, чтобы я отключил перенаправления?

Для отправки _перенаправлений вы можете найти ответ в FAQ Libreswan:

Let's say you have a VPN server in a cloud that you use with your phone. Your phone will setup an IPsec VPN and all its traffic is encrypted and send to the cloud instance, which decrypts it and sends it on the internet, using SNAT. Replies it receives are encrypted and send to your phone.

Your phone will send the VPN server an encrypted packet. The server receives it on eth0 (its only interface!) and decrypts it. The decrypted packet is then ready to get routed. The server looks which interface it should send the packet to. It is destined to go out eth0. Since the packet came in via eth0 and would go out via eth0, the server concludes there clearly must be a better path not involving itself, since it is going out the same interface. It has no idea the packet arrived encrypted and got decrypted.

This is why we recommend disabling "send_redirects" in /etc/sysctl.conf using

Возможно, Введение в strongSwan здесь немного понятнее:

If the VPN gateway is not the default gateway of the LAN, ICMP redirects might get returned to hosts if they send traffic destined for the remote hosts/subnets to the VPN gateway, directing them to the default gateway of the LAN (which probably doesn't work and otherwise might get that traffic out unencrypted). To avoid this, disable sending such ICMP messages by setting net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects to 0 (if the latter is not set before the interface comes up, also set the option for the individual interface, i.e. net.ipv4.conf..send_redirects).

Для принять _перенаправления я бы предположил просто хорошую сетевую практику. Поскольку ваш VPN-шлюз должен знать все локальные маршруты, любое перенаправление ICMP будет фиктивным и его следует игнорировать.