The support guidelines clearly state that you should clear the netfilter
counters, try the failing connection, take the dump, and explain in the
report what you tried and how it failed. All we have here is a dump and an
observation about a particular connection so I can only tell you that the
[UNREPLIED] entry is an attempt to connect from 212.115.197.253 to
192.168.21.51. There is no security policy covering that connection so the
traffic DID NOT GO THROUGH THE TUNNEL. Given that it was addressed to an RFC
1918 address, the packet was simply dropped when or before it reached the
internet core routers.

If you look down in the section of the dump titled PFKEY SPD, you will see
all of the Security Policies that you have defined. The only one with source
212.115.197.253 is from gateway to gateway. So the other gateway is the only
host that this gateway can communicate with through the tunnel.

As spelled out in the Shorewall IPSEC 2.6 documentation, it takes 8 security
policies to completely cover the combinations when connecting two local
subnets via IPSEC.

I can see no reason that zones loc6 and loc7 should not be able communicate
with the remote network. Note though that you can totally eliminate
Shorewall from the issue by doing 'shorewall clear' then trying to
communicate. If that doesn't work then your Shorewall configuration is not
the immediate cause of the problem. Be sure to 'shorewall start' after the
test since your firewall will be wide open after the 'shorewall clear'.

-Tom