This may be necessary because the other end is a corporate appliance etc. that only supports IPSec.
VTI is deprecated in favor of XFRM, so use XFRM for a routed configuration. The xfrm package is necessary. The default ip-tiny utility does not fully support XFRM. It can be replaced with ip-full though that is not necessary to run an xfrm IPSec.
The xfrm tunnel must be created separately in /etc/config/network. The link between the XFRM interface and the IPSec tunnel is the ifid number, which can be any 32 bit number but must match in both configurations.
config interface 'xfrm0'
option ifid '301'
option tunlink 'loopback'
option mtu '1438'
option proto 'xfrm'
config interface 'xfrm0_s'
option ifname '@xfrm0'
option proto 'static'
option ipaddr '10.65.254.1/24'
Here the tunnel is given an IP address, which is useful for initial testing to ping to the other side (assuming it is configured with an IP address and answers pings). The routed configuration works like other layer 3 VPNs like Wireguard or OpenVPN-- the tunnel interface would be attached to a firewall zone, and static routes declared to reach LANs on the other side.
In order to make the tunnel the default route for all Internet usage, a strongswan "up" script is needed to install those routes, including a "hole punch" exception so that the encrypted packets to the VPN server go through the regular WAN.