This results in a set of firewall rules, part of which is equivalent to
iptables -A INPUT -s 192.168.2.0/24 -j ACCEPT
The rule applies to both VPN and non-VPN traffic, no matter what the zone's name suggests.
Since the IP source address could be spoofed, this is not secure.
I tried to improve it with the following options:
option extra_src '-m policy --dir in --pol ipsec --proto esp'
option extra_dest '-m policy --dir out --pol ipsec --proto esp'
Together with an IPsec configuration for ESP tunnel mode, the IP addresses are known to be authenticated and can be relied upon for filtering.
Further, I would add
option mtu_fix '1'
to the VPN zone. It might obviate the need for the kernel-netlink settings, but I haven't done any rigorous testing.
With some more extra_src and extra_dest options it is also possible to lift the zone ordering requirement. See my previous post for details.