Nftables ipsec site to site firewall config

I'm struggling to replace my fw3 firewall config with nftables rules. How to separate ipsec/non ipsec traffic? For iptables I used "option extra" for ipsec parameters. I'm not sure how to get same for fw4.

Is someone willing to share simple firewall config working with 3 zones (lan, wan, vpn) with strongswan used as site to site connection? Something like:
site A:
site B:
Both sites connected to internet + secured tunel between site A and B.