Now also got the "main" authentication mode (not "normal") working fine.
The problem was that the main mode insists on "IP address" setting of
"My Identifier", whereas I had set "Domain name" in agressive mode.
The error messges in the log provided enough hints to solve this problem.
To sum up, extracting a sub-subnet via an IPSec VPN tunnel between two
m0n0wall v1.2b2 works fine.
m0n0local runs ARP proxy on the LAN interface to "attract" traffic for
the remote sub-subnet without adding any additional route.
m0n0remote runs the DHCP server on its LAN interface to dish out
extracted IP addresses from the sub-subnet range, and provides clients
also with the VPN tunnel end-point as remote default gateway (and DNS