IPSEC / strongswan: connection up but no ESP

I have the following config:

# cat /etc/config/ipsec
config ipsec
  list interface 'wan'
  list interface 'wan6'
  option zone 'IPSecVPN'

config remote '<remote_id>'
  option enabled '1'
  option gateway '<remote_host_name>'
  option local_gateway '<local_host_name>'
  option local_identifier '<local_id>'
  option remote_identifier '<remote_id>'
  option pre_shared_key '<redacted>'
  option authentication_method 'psk'
  list crypto_proposal 'crypto256'
  list tunnel 'home'

config tunnel 'home'
  list local_subnet '10.0.0.0/16'
  list remote_subnet '10.1.0.0/16'
  list crypto_proposal 'crypto128'
  option hw_offload 'yes'

config crypto_proposal 'crypto256'
  option encryption_algorithm 'aes256'
  option hash_algorithm 'sha256'
  option dh_group 'modp2048'
  option prf_algorithm 'prfsha256'

config crypto_proposal 'crypto128'
  option encryption_algorithm 'aes128'
  option hash_algorithm 'sha1'
  option dh_group 'modp2048'

The connection seems to be fine

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.11, Linux 5.15.137, mips):
  uptime: 8 seconds, since Jul 07 10:28:10 2024
  worker threads: 9 of 16 idle, 6/0/0/1 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp gmpdh curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm ntru drbg newhope bliss curl mysql sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
  <redacted>
  <redacted>
Connections:
        <remote_id>:  %any...<remote_host_name>  IKEv2
        <remote_id>:   local:  [<local_id>] uses pre-shared key authentication
        <remote_id>:   remote: [<remote_id>] uses pre-shared key authentication
        home:   child:  10.0.0.0/16 === 10.1.0.0/16 TUNNEL
Routed Connections:
        home{1}:  ROUTED, TUNNEL, reqid 1
        home{1}:   10.0.0.0/16 === 10.1.0.0/16
Security Associations (0 up, 1 connecting):
        <remote_id>[3]: ESTABLISHED 0 seconds ago, <redacted_ip>[<local_id>]...<redacted_ip>[<remote_id>]
        <remote_id>[3]: IKEv2 SPIs: <redacted>, rekeying in 3 hours
        <remote_id>[3]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

But I cannot ping any hosts on remote 10.1.0.0/16, nor does tcpdump -i eth0 ip proto 50 captures anything.

In firewalls, I added rules that allows INPUT of UDP port 500, port 4500 or proto ipsec-esp, and also allowed routing between IPSecVPN zone and local LAN zone. NAT to subnet 10.1.0.0/16 is disabled as well.