allow incoming esp traffic

config/etc/nftables.conf

@@ -36,6 +36,9 @@ table ip filter {
 
         # overlay network traffic
         udp dport 4789 accept
+        
+        # allow IPSEC connections (encrypted overlay networks)
+        ip protocol esp accept
     }
     chain FORWARD {
         type filter hook forward priority 0;