All IKE UDP 500 traffic to and from the gateway interfaces themselves (this does not include IKE traffic trying to transit the gateway) will always be allowed by these implied rules:
Once allowed the source IP address will be checked against a list of known VPN peers by vpnd, and if it doesn't match the IKE traffic is discarded. While in most cases the two endpoints for a site-to-site VPN have fixed IP addresses, all IKE traffic to the gateway's interfaces must be initially accepted from any source IP address to cover the case of a Dynamically Assigned IP (DAIP) VPN peer.
New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at maxpowerfirewalls.com