Over past 3 weeks, i've been playing around with setting up a VPN for my phone and table to connect into my home internet connection, and primarily followed this wiki page: https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/roadwarrior
Very crudley - my setup is as follows:
VpnClient(192.168.254.99) <---------> [ OpenWrt ] <-> Lan (192.168.0.0/24)
|--------> PPPOE_Wan (X.x.x.x)
As of 45mins ago I finally got it working !! 
However, I ran across two things that came as a surprise .
Routing
While troubleshooting , I was running tcpdump thinking I had missing routes or something, and to my surprise, I could see the decrypted traffic for the vpn client (192.168.254.99) on my pppoe_wan interface. And additionally, I could ONLY see it there and no-where else... (like eth0 or br-lan...) . How is that possible from a routing perspective - or is there something else going on that I've missed?
Firewall Rules
After about 3 days of trying many different things, I realized I missed this step from the wiki:
You will also need additional forwarding rules in
firewall.user. Note that strongswan mentions theleftfirewall=yessetting in ipsec.conf which used to add the iptables entries using the_updownscript in/usr/libexec/ipsec/_updownbut this has been deprecated and doesn't do anything.
firewall.user:
The only IPSec firewall rules that I had added initially were these:
config rule
option target 'ACCEPT'
option src 'wan'
option name 'IPSec ESP'
option proto 'esp'
config rule
option target 'ACCEPT'
option src 'wan'
option name 'IPSec IKE'
option proto 'udp'
option dest_port '500'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '4500'
option name 'IPSec NAT-T'
config rule
option target 'ACCEPT'
option src 'wan'
option name 'IPSec Auth Header'
option proto 'ah'
With only the above 4 uci rules in place, the ipsec tunnel was still getting successfully established, and I could ping the router from my vpn client, and I could even ping the vpn client from my openwrt router and from my home PC. (Which made me twig that routing must be working - despite the config being unexpected). But my VPN client could NOT ping any lan clients, or connect out to internet via my home ISP.
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
Once I added these 4 extra raw iptables commands to firewall.user and reloaded the firewall - everything started working.
My 2nd question is why were these rules needed? Anyone familiar with strongswan and ipsec vpns in general, I would greatly appreciate any info / guidance / links / diagrams that would help fill in my knowledge gaps.