Sorry to necro bump this. The solution proposed above doesn't work because those are the iptables rules that the ipsec daemon adds for a routed tunnel on the host running the IPSec daemon.
They are not the correct rules to forward IPSec traffic from a public IPv4 address to an IPSec server sitting behind NAT.
From your description, I am assuming this is your use case:
(Internet) -----> (OpenWrt) ------> (IPSec)
Where your OpenWrt Internet interface has a public IPv4 address, and the IPSec server is on LAN.
If your OpenWrt router has an IPv4 address which is on a private subnet (10.0.0.0/8,172.16.0.0/12,192.168.0.0/16) or you cannot access the OpenWrt Internet-facing IPv4 address from another server on the internet, then it's likely your ISP has implemented carrier grade NAT (cgNAT) and this will not work.
You need the following INPUT rules:
iptables -A input_wan_rule -i WANif -p udp -m multiport --dports 4500 -m comment --comment "012 accept ipsec-nat" -j ACCEPT
iptables -A input_wan_rule -i WANif -p udp -m multiport --dports 500 -m comment --comment "015 accept isakmp" -j ACCEPT
iptables -A input_wan_rule -i WANif -p esp -m comment --comment "018 accept ipsec-esp" -j ACCEPT
You need to change WANif to the interface of your WAN (e.g. eth0.2). You can use the rule without limiting the input to the WAN interface, but in my opinion it's better to be specific. If you want to use the rule without explicitly setting your WAN interface, then simply remove the -i WANif flag from the above rules.
You need the following FORWARD rules:
iptables -A zone_wan_forward -d LAN_dest/32 -p udp -m multiport --dports 4500 -m comment --comment "014 ipsecnat-forward" -j ACCEPT
iptables -A zone_wan_forward -d LAN_dest/32 -p udp -m multiport --dports 500 -m comment --comment "017 isakmp-forward" -j ACCEPT
Fill out LAN_dest with the IP address of the IPSec server on your local network.
You need the following PREROUTING rules in your nat table:
iptables -t nat -A zone_wan_prerouting -d public_IPv4/32 -p udp -m multiport --dports 4500 -m comment --comment "013 ipsecnat-dnat" -j DNAT --to-destination LAN_dest:4500
iptables -t nat -A zone_wan_prerouting -d public_IPv4/32 -p udp -m multiport --dports 500 -m comment --comment "016 isakmp-dnat" -j DNAT --to-destination LAN_dest:500
iptables -t nat -A zone_wan_prerouting -d public_IPv4/32 -p esp -m comment --comment "019 esp-dnat" -j DNAT --to-destination LAN_dest
Fill out public_IPv4 with the IP address on the WAN interface of your router. This is only recommended if you have a static IP address from your provider. If you don't have a static IP address, then remove the "-d public_IPv4/32" flag.
Fill out LAN_dest with the IP address of the IPSec server on your local network.