Strongswan site to site ipsec based VPN

Installing and Using OpenWrt Network and Wireless Configuration
1

Router 1 swanctl.conf
connections {
myvpn {
remote_addrs = 1.1.1.2
proposals = aes256-sha256-modp2048
local {
auth = psk
id = 1.1.1.1
}
remote {
auth = psk
id = 1.1.1.2
}
children {
myvpn {
mode = tunnel
local_ts = 192.168.1.0/24
remote_ts = 192.168.2.0/24
esp_proposals = aes256-sha256-modp2048
dpd_action = clear
start_action = start
local {
intf = wan
}
remote {
intf = wan
}
}
}
}
}

secrets {
ike-1 {
id-1 = 1.1.1.1
secret = 0987654321
}
}

Router 2 swanctl.con
connections {
myvpn {
remote_addrs = 1.1.1.1
proposals = aes256-sha256-modp2048
local {
auth = psk
id = 1.1.1.2
}
remote {
auth = psk
id = 1.1.1.1
}
children {
myvpn {
mode = tunnel
local_ts = 192.168.1.0/24
remote_ts = 192.168.2.0/24
esp_proposals = aes256-sha256-modp2048
dpd_action = clear
start_action = start
local {
intf = wan
}
remote {
intf = wan
}
}
}
}
}

secrets {
ike-1 {
id-1 = 1.1.1.2
secret = 0987654321
}
}

br-lan ip of router 1 is 192.168.1.1 br-wan ip of router 1 is 1.1.1.1
br-lan ip of router 2 is 192.168.2.1 br -wan ip of router 2 is 1.1.1.2
i connected br wan through ethernet cable of both routers.. Now i want to send data through tunnel..
the tunnel status from router 1 is below
root@OpenWrt:/etc/swanctl# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.10, Linux 5.15.134, mips):
uptime: 34 seconds, since Feb 22 15:37:03 2024
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm ntru drbg newhope bliss curl mysql sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
192.168.1.1
fda4:5ec0:e0bb::1
1.1.1.1
Connections:
myvpn: %any...1.1.1.2 IKEv1/2
myvpn: local: [1.1.1.1] uses pre-shared key authentication
myvpn: remote: [1.1.1.2] uses pre-shared key authentication
myvpn: child: 192.168.1.0/24 === 192.168.2.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
myvpn[2]: ESTABLISHED 4 seconds ago, 1.1.1.1[1.1.1.1]...1.1.1.2[1.1.1.2]
myvpn[2]: IKEv2 SPIs: 172622ea1b0b01a8_i 2489b8ad9c1c7a74_r*, rekeying in 3 hours
myvpn[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

the tunnel status from router 2 is below
root@OpenWrt:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.10, Linux 5.15.134, mips):
uptime: 103 seconds, since Feb 22 15:37:46 2024
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm ntru drbg newhope bliss curl mysql sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
192.168.2.1
fda8:7f24:d34f::1
1.1.1.2
fda8:7f24:d34f:10::1
Connections:
myvpn: %any...1.1.1.1 IKEv1/2
myvpn: local: [1.1.1.2] uses pre-shared key authentication
myvpn: remote: [1.1.1.1] uses pre-shared key authentication
myvpn: child: 192.168.2.0/24 === 192.168.1.0/24 TUNNEL
Security Associations (2 up, 0 connecting):
myvpn[2]: DELETING, 1.1.1.2[1.1.1.2]...1.1.1.1[1.1.1.1]
myvpn[2]: IKEv2 SPIs: 1e9dda03ac9ea66f_i 2b633cfef675ceff_r*
myvpn[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
myvpn[2]: Tasks active: IKE_DELETE
myvpn[1]: ESTABLISHED 94 seconds ago, 1.1.1.2[1.1.1.2]...1.1.1.1[1.1.1.1]
myvpn[1]: IKEv2 SPIs: 172622ea1b0b01a8_i* 2489b8ad9c1c7a74_r, rekeying in 3 hours
myvpn[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

route -n on router 1: 1.1.1.1
root@OpenWrt:/etc/swanctl# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 1.1.1.2 0.0.0.0 UG 0 0 0 br-wan
1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-wan
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

the firewall rules on router 2: ip 1.1.1.2
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-Ping-LAN'
option src 'lan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-ICMP-from-192.168.2.0-to-192.168.1.0'
option src 'lan'
option dest 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option dest_ip '192.168.1.0/24'
option target 'ACCEPT'
config rule
option name 'Allow-ICMP-from-192.168.2.0-to-192.168.1.0'
option src 'lan'
option dest 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option dest_ip '192.168.1.0/24'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Exempt-IPsec-Traffic-UDP-500'
option src 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule
option name 'Exempt-IPsec-Traffic-UDP-4500'
option src 'lan'
option dest_port '4500'
option proto 'udp'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-SSH-SCP'
option src 'wan'
option dest_port '22'
option proto 'tcp'
option target 'ACCEPT'

config rule
option name 'Allow-ICMP-from-192.168.2.0/24-to-192.168.1.0/24'
option src 'lan'
option dest 'lan'
option proto 'icmp'
option icmp_type 'echo-request'
option dest_ip '192.168.1.0/24'
option target 'ACCEPT'

route -n on 1.1.1.2
root@OpenWrt:/etc/config# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 1.1.1.1 0.0.0.0 UG 0 0 0 br-wan
1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-wan
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

router 1: 1.1.1.1 ist the current Security Associations (SAs) in the StrongSWAN VPN (Virtual Private Network) configuration
root@OpenWrt:/etc/swanctl# swanctl --list-sas
plugin 'wolfssl' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-wolfssl.so: wolfssl_ec_public_key_load: symbol not found
myvpn: #2, ESTABLISHED, IKEv2, 172622ea1b0b01a8_i 2489b8ad9c1c7a74_r*
local '1.1.1.1' @ 1.1.1.1[4500]
remote '1.1.1.2' @ 1.1.1.2[4500]
AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 438s ago, rekeying in 12555s

MY Question
when i send data on port 4500 it show esp but traffic isnt show encrpyted and while tunnel is created the data isnt encrpyted if i do ssh or send any pther data in any port other than 4500...i stuck in this can you help me to solve this problem??