Ipsec firewall setup

Hi, I’m completely lost in turris (Omnia) firewall – both in luci and when viewed as iptables chains.
I have a site-to-site IPsec tunnel that used to be between two Ubiquiti devices and worked well, I copied to config from one of the devices, which was scheduled to be replaced by Omnia, and used the config on Omnia. As far as I can tell, when I shut down the firewall, all works, I can ping the other side IP (even the devices on the other network) and all looks fine.
When I start the firewall up, I cannot ping across the ipsec. But the tunnel seems to be existing and gets started even with firewall running (the tunnel is ESTABLISHED in ipsec statusall).
I have default firewall that omnia provides, no extra rules, only allowed ports 500, 4500 and 1701
Plus I have the rightfirewall=yes in ipsec.conf…

Any suggestion – I went through what looked relevant in this forums, but I just completely clueless, especially with this many zones and stuff…