This is with a Hybrid policy, right Thorsten?
First of all: thanks for the input and the feedback.
We did some investigations and found out that you are using the property Client.IP to write cloud-only rules. Or in your case to exclude the rules to be triggered locally by taking out the local IP ranges.
In the IPSec case this property is not set correctly (which is a bug and will be fixed as soon as possible), which leads to the whole Ruleset not to be triggered for IPSec. The recommended way to write cloud-only rules is to have a condition "InTheCloud equals true".
Is it possible to change the rules this way and try again?