Per the subject, we have a Draytek 2960 on fw1.5.1 with multiple IPSEC Site-to-Site tunnels connected using WAN1.

We have a need to pass through IKEv2 traffic on WAN2 to an internal server.

Under VPN and Remote Access -> IPsec General Setup -> WAN Profile we have ensured only WAN1 is selected but it appears that WAN2 is still responding to IPSEC IKEV2 requests rather than passing through internally (have confirmed this by temporarily unticking "Enable IPSEC Service" - after which IKEV2 is passed to our internal server successfully)

Is this intentional? Can anyone advise how we can achieve the desired results?

We essentially want the Draytek 2960 to only process IPSEC Site to Site Tunnels on WAN1 only and allow UDP500 and UDP4500 on WAN2 to an internal server.

Any help is greatly appreciated.

Following on from this, I thought I'd instead try dedicating a public IP to it and set a DMZ host per https://www.draytek.com/support/knowledge-base/5213#linux
but the Draytek is STILL intercepting IKEv2 traffic rather than passing through!
Could this be a bug in 1.5.1 or is it the expected behaviour?