This was mentioned on the development list by Peter Müller, and I thought a bug should be opened.

IPSec subnets seem to be displayed wrong at times on the Index.cgi page. Not all tunnels are affected, but some tunnels do not match the configuration or the active output of "ipsec status".

After a closer look, this seems to affect only tunnels (at least in our configuration) that have multiple subnets defined in a comma-separated list.

Displayed on index.cgi:

"tunnelname    10.253.1.0/3    CONNECTED"

while the output of "ipsec status tunnelname" shows:

Routed Connections:
      tunnelname{102}:  ROUTED, TUNNEL, reqid 17
      tunnelname{102}:   10.254.0.0/23 === 10.253.1.0/24 10.253.2.0/24
Security Associations (26 up, 0 connecting):
      tunnelname[348]: ESTABLISHED 119 seconds ago, x.x.x.x[C=US, ST=NH, O=MyOrg, OU=Engineering Dept., CN=host1.myorg.dom]...y.y.y.y[C=US, ST=NH, O=MyOrg - tunnelname, OU=Engineering, CN=host2.myorg.dom]
      tunnelname{5022}:  INSTALLED, TUNNEL, reqid 17, ESP SPIs: cdbada31_i c4e24e27_o, IPCOMP CPIs: 5431_i 6977_o
      tunnelname{5022}:   10.254.0.0/23 === 10.253.1.0/24 10.253.2.0/24
      tunnelname{5023}:  INSTALLED, TUNNEL, reqid 17, ESP SPIs: cfdce8b8_i c1d1780e_o, IPCOMP CPIs: 6d81_i cbd4_o
      tunnelname{5023}:   10.254.0.0/23 === 10.253.1.0/24 10.253.2.0/24