For anything to persist in vCloud Director, you must configure it in vCloud Director. Otherwise, when you clone a vApp ... the settings for the VPN/Firewall will not transfer from the source configuration to the destination. All of these sorts of settings are stored in the vCloud Director database and pushed down to the vSE when the vApp is powered on (vSE is created).
This is a known side affect of not doing things in the vCloud GUI.
In vCloud Director 1.0, there wasn't even a VPN option in the vCloud GUI. Some customers then chose to configure VPN for users. These VPN settings would not persist over a Network Reset or vApp Power Off/On cycle.
Even if you did do it as Org vDC networks, there is nothing stopping people from hopping onto a different network and causing conflicts ... even if it was human error and not by choice.
Optimally, you want to do everything in the vCloud Director GUI ... otherwise, you would need some sort of automation to handle this ... but that requires coding on top of what you are doing already.