If this router is VPN server (clients connect to it), then you want (before the last drop in input chain):
/ip firewall filter
add chain=input dst-port=500,4500 protocol=udp action=accept
add chain=input protocol=ipsec-esp action=accept
If VPN clients should access router itself (via encrypted tunnel), then:
/ip firewall filter
add chain=input ipsec-policy=in,ipsec action=accept
Incoming traffic from VPN clients to LAN is already covered by first rule in forward chain. And the second one is for outgoing traffic to VPN clients. If you want further filtering and not allow everything from/to VPN clients, you can change them to jumps and then subchains are almost like if you have interface for IPSec, e.g.:
/ip firewall filter
add chain=forward ipsec-policy=in,ipsec action=jump jump-target=ipsec-in comment="VPN->LAN"
add chain=forward ipsec-policy=out,ipsec action=jump jump-target=ipsec-out comment="LAN->VPN"
add chain=ipsec-in protocol=tcp dst-port=3389 action=accept comment="all clients can access RDP"
add chain=ipsec-in src-address=192.168.77.100 comment="this client can access everything"
...
add chain=ipsec-in action=drop comment="nothing else is allowed"
add chain=ipsec-out dst-address=192.168.77.200 comment="allow access to client"
...
add chain=ipsec-out action=drop comment="nothing else is allowed"
Finally your:
/ip firewall filter
add chain=input action=accept src-address=192.168.77.0/24 comment="VPN inbound"
is not great, because it doesn't care whether it's encrypted traffic or not. But as long as IPSec peer is enabled and there's policy for 192.168.77.0/24, non-encrypted traffic from 192.168.77.0/24 from other sources will be filtered anyway.