OW(OpenWrt) as Client for Zyxel

OpenWrt uses the private IP address 192.168.43.25. Could you get a public IP address (IPv4 or IPv6) for the OpenWrt router? This is optional, but it allows a more stable configuration. Even a single dynamic address would be an improvement.

The tunnel is up, but no traffic has been flowing yet. The traffic selectors 192.168.221.33/32 === 192.168.222.0/24 and the gateway address do not match your network diagram. Please fix the diagram or the configuration. Below I will assume that the diagram is correct.

On OpenWrt:

  • Change the traffic selectors and gateway address in ipsec.conf:
         leftsubnet=192.168.1.100/32
         right=70.1.23.45
         rightsubnet=10.10.10.0/24
    
    Adjust the subnet masks /24 and /32 as needed.
  • Make sure that NAT is not applied to tunneled traffic. For a simple solution, add the following line to /etc/firewall.user (untested):
    iptables -t nat -A postrouting_wan_rule -m policy --dir out --pol ipsec --proto esp -j ACCEPT
    
  • Update: Allow incoming IPsec-protected traffic to be forwarded:
    iptables -A forwarding_rule -m policy --dir in --pol ipsec --proto esp -j ACCEPT
    
    More featureful solutions could be imagined too, for example a separate VPN zone in the OpenWrt firewall.

On the VPN Server:

  • Change the traffic selectors to match OpenWrt.
  • Disable Diffie-Hellman group 1 (768 bit), it is insecure.
  • Disable DES, it is insecure.
  • Disable 3DES (optional).

In your diagram, User is labelled with 10.10.10.0. Is that an IP address or a subnet?

  • In case of a subnet, it is missing the subnet mask.
  • In case of an IP address: Don't assign the .0 address to a host (assuming the subnet mask is /24).

Furthermore, there are IP addresses 192.168.222.0 and 192.168.100.100. What is their purpose?
The traffic selectors specify the IP addresses of the hosts that want to communicate across the tunnel. A VPN gateway does not need to have an IP address from the traffic selector range unless you want it to take part in the tunneled communication.

I don't use uci or LuCI to set up strongSwan, maybe someone else can answer this.