The problem is that in the absence of add check-gateway=ping distance=50 dst-address=10.0.0.0/8 type=prohibit ping to the remote server runs, but the services are not working (not connecting the IP phone, not downloaded to CRM system). I understand that the rule should not logically affect the performance, but it works (sorry for such silly comments). Masquerading for all of the tunnels are included.
Please tell me, maybe I'm the wrong way completely gone and we need to implement the scheme differently.
Thanks in advance.