Test Scenario, NW65sp4a, bm38sp4. Connects to a Smoothwall express v2.0 firewall with openswan and ipsec. (basically a hardened Linux machine for firewall use).
Routes are as follows (left side on smoothwall, right side on BM, public ips defaced) using preshared secrets and all is fine. Now change masks to /16: and FAILURE.
Next changed the "tunnel address" from to just in case, changed both bm server an slave (foreign server) tunnels to be on /16.

When we use /16 IKE debug screen says IKE_SA is created etc etc, however TCPCON show's no route for but does show the usual suspects e.g.
default dd.ef.4.249 (ADSL modem) FIREBM (name of bm box), dd.ef.4.248,
BUT nothing like to (the tunnel for it). (I discovered this by changing the end networks back to /24, then we get routing IKE say created SA and we can ping from one side to another.

I assume that we should be able to use /16 nets across a VPN (or that's the answer), Am I missing the obvious ?

Thanks in advance