Ff 49.x in safe mode, therefore all addons disabled, does not work. This laptop, which thinks it is up to date with Ff 47.x, works as does Edge (yuck).

Please can you repost the conf file between code tags? It makes no sense the way it has been posted and indenting and line breaks have some importance in Libreswan/Openswan. Please post them from both ends.

Before you do that, can you add a leftsourceip (Local LAN IP) to each conn.

Also please post the connection logs.

No longer able to edit forum posts with Firefox?

It seems like I am no longer able to edit forum posts with Firefox 49.x. I have tried in safe mode (all addons disabled) and it did not help. I can do the edit but when I hit the "Save" button, it greys out but nothing more happens and I have to cancel out of it. I can still edit them with Edge.

Has anyone else seen the same?

No the comments are not valid for an gateway-gateway connection with no NAT. That is a much easier set up which the basic free interface should handle directly.
Make sure you've opened the incoming firewall to the Standard Service IPsec as this does more than open udp:500.
If you can't connect, post your conf files from /etc/ipsec.d/

FWIW left and right can be either side. A lot of people (including the ClearOS webconfig) use left as the local side but you don't have to. A gateway-gateway configuration is often symmetrical and you can pick up the conf file from one side and drop it into the setup on the other side unchanged. Then right becomes your local side. Librewan/Openswan works out which side is which when it matches the conf file with the local IP settings.

Agreed. Looks OK.

IPsec is not NAT friendly and a port forward won't work (and you also need to forward esp).

I think it is the default in our set up, but make sure you have a line in /etc/ipsec.conf which says "nat_traversal=yes", in the "config setup" section with no preceding blank lines and make sure the line is indented.

On site B port forward udp:4500 in your router and open udp:4500 in both ClearOS's.

The next bit I'm always hazy on. In your conf file in /etc/ipsec.d, you will need to fix the leftid/rightid manually as each side assumes the other will use its WAN IP, but in reality site B will use the ClearOS WAN IP, assuming left is always the local machine, I think either on A you need to set rightid=clearosB_WAN_interface_IP or on B you need to set left=SiteB's_public_IP. I would prefer the second.

Lastly this will affect your secrets file. The easiest thing to do is to add %any after the two IP addresses. You may have to fix one or both systems to match the left/rightid, but I'm not sure. Or you could just make sure you have 3 IP's in it, A_WAN, B_Public and B_ClearOS_WAN.

Restart ipsec after the changes.

You can do this manually, but I think (I'll have to check later), you need the paid-for version of the interface if you want to do it through the webconfig.

Please use code tags next time (the piece of paper icon with a <>. It makes reading the output so much easier. For semr reason I can no longer save edits to posts so I can't fix it.

You have a number of issues.
Firstly, in the firewall you have not opened incoming 80 or 443, so noting will get into ClearOS
Secondly you have a port forward on 443. If you need the port forward, then don't open incoming 443, but you will be unable to access the ClearOS web server by https.
Thirdly, and I don't know much about it, it looks like apache (httpd) is only listening on IPv6 which I don't believe as you can access it from your LAN which is IPv4. My test box is the same and I can access it through its WAN connection so I suspect everything is OK. It is just my understanding which is not.

Start off by opening incoming tcp:80 and check with basic http. If that works, then you'll need to decide what you want to do with https. If you want it both on ClearOS and on 192.168.0.204 then consider using a reverse proxy set up in ClearOS.

Don't port forward to your LAN IP.

What is the output of Results between code tags, please.

Your basic set up looks OK and I don't know how to troubleshoot this one. What is the contents of /etc/dnsmasq.conf on the server?

Sorry, I don't know. Your set up looks OK. I can't afford to cut the family off to test.

Is there anything in the logs when this goes wrong (apart from the WAN trying to reconnect)?