I have some doubt that regards IPsec traffic.
Let's analyse the encryption. Do we have on the first below diagram a situation when a packet has destination address that belongs to the second side of the IPsec tunnel? If so, it goes through FORWARD chain (step 3) and then if it belongs to IPsec policy, is encrypted. Does it means only encryption? If so, does it leave the routing through the "L" point, only then is encapsulated and comes again to the routing through the "K" point? Or maybe all things that belongs to the IPsec process are done directly in the box "IPSEC ENCRYPTION" and after leaving "L" point that packet goes directly to the physical output interface?