I'm totally lost by the many options one has (VTI, XFRM, policy based vs. route based, and so on) while trying to set up a road warrior setup with strongswan.
I read Traffic is dropped for IPsec with firewall4 but it is unclear for me, why a bridge with a vlan interface needs to be set up pointing to the WAN interface. So I do not want to follow it blindly.
Wireguard tends to be significantly easier to set up (it's been a while since I used strongswan, and it has seen considerable changes in terms of service startup and process supervisions recently).
This may be necessary because the other end is a corporate appliance etc. that only supports IPSec.
VTI is deprecated in favor of XFRM, so use XFRM for a routed configuration. The xfrm package is necessary. The default ip-tiny utility does not fully support XFRM. It can be replaced with ip-full though that is not necessary to run an xfrm IPSec.
The xfrm tunnel must be created separately in /etc/config/network. The link between the XFRM interface and the IPSec tunnel is the ifid number, which can be any 32 bit number but must match in both configurations.
config interface 'xfrm0'
option ifid '301'
option tunlink 'loopback'
option mtu '1438'
option proto 'xfrm'
config interface 'xfrm0_s'
option ifname '@xfrm0'
option proto 'static'
option ipaddr '10.65.254.1/24'
Here the tunnel is given an IP address, which is useful for initial testing to ping to the other side (assuming it is configured with an IP address and answers pings). The routed configuration works like other layer 3 VPNs like Wireguard or OpenVPN-- the tunnel interface would be attached to a firewall zone, and static routes declared to reach LANs on the other side.
In order to make the tunnel the default route for all Internet usage, a strongswan "up" script is needed to install those routes, including a "hole punch" exception so that the encrypted packets to the VPN server go through the regular WAN.