I think you are getting confused by the 2 IPsec tunnel modes available. The first is called " Policy based" and is historical. You need a policy with action " ENCRYPT" for this. The addresses used in the policy are implicitely used to construct a route to the remote end.
The second, recommended way is called " Route based" or " Interface mode" . Here, when you create a phase1 a virtual interface is created for the tunnel end. This is treated like any other port: you allow traffic into and out of the tunnel by policies from ' internal' to the virtual tunnel interface, with action ACCEPT. You need a route for the remote subnet, pointing to the tunnel interface.
This is much more flexible in regards to routing, NAT etc. than the older variant.
If you now cannot select the tunnel I bet the policy' s action is ENCRYPT, but the phase1 is in Interface Mode. You cannot change that after the first setting; you have to recreate the phase1 in order to change the mode.
Ede
"Kernel panic: Aiee, killing interrupt handler!"