Mikrotik (VPN Client) no ping between peers and vpn internal network (solved)

Hey there;

Strongswan Server (Selfhost vpn internet) IP:20.20.20.20 (VPN Internal IP pool 172.10.10.0)
Mikrotik as vpn client (IKEv2 ) 192.168.88.1
Peers (Mikrotik internal devices using a specific connection mark in some VLAN) Example: 192.168.1.2

Two scenario:

-Peer 192.168.1.2 configured directly without using mikrotik as vpn client:
All OK, internal vpn network ping between 192.168.1.2 and 172.10.10.1 ok, works like a charm fast and very stable

-Peer 192.168.1.2 without vpn configuration, mikrotik as vpn client:
No internal ping in vpn network between 192.168.1.2 and 172.10.10.1, connection is fast but i can’t post in forums or login in websites.

Dynamic address and routes are generated:

 D 172.10.10.1/24      172.10.10.0      PPPoE

 ADC  172.10.10.1/24     172.10.10.0      PPPoE

I think server is not the problem, because if i configure a vpn inside the internal network devices, work fine, i think problem is Mikrotik Ipsec policy and NAT rules are generated dynamically

D ;;; ipsec mode-config
      chain=srcnat action=src-nat to-addresses=172.10.10.2 connection-mark=strongswan

I was playing with firewall, creating forwading rules between internal vlans and internal vpn netork but no way. All rules are placed before fastrack.
Any idea?

[228284.036300] [UFW BLOCK] IN=ens3 OUT= MAC=**************:08:00 SRC=IO DST=IP VPN LEN=566 TOS=0x00 PREC=0x00 TTL=51 ID=40084 PROTO=TCP SPT=443 DPT=40598 WINDOW=335 RES=0x00 ACK PSH URGP=0

StrongSwan is a headache, the documentation is too long and using VTE device change the rules, but the problem here seems to be the firewall. I tried to open 443 port but without luck.
Conmark plugin is disable, following the documentation.

Using Strongswan recommended rules and switching from ufw to iptables resolve the issue. Now everything works fine.