Where are the politicians? Separate routing - well, at least on Mikrotik - is not needed . Mikrotik will figure out where to send it. But naturally, firewall rules are needed that allow traffic to pass after it is decrypted.
It is the politicians who link the virtual subnets and the tunnel.
That is, if on the fingers, what happens after the connection is there.
1. Incoming package.
Mikrotik received an ESP package. If the firewall rules missed it (input / output chains, not forward!), then Mikrotik looks for security associations (SA) - is there an association with this ID? If there is, then the packet is decrypted and re- passes the firewall - this time the forward chain - and goes to the desired interface.
2. Outgoing packet
Mikrotik received a packet from the internal network. If the rules of the forward chain missed it, then it looks at the security policies (SP) - whether this packet needs to be encrypted. If necessary, the addresses of the beginning and end of the tunnel are taken from the policy, SA is searched for them, the key is taken from SA, the packet is encrypted and again passes through the firewall - in encrypted form. If they missed him, he went.
There is no routing anywhere here, here ESP instead of it. Zukhel accurately decrypts packets from Mikrotik? If you use SHA256 - refuse, Mikrotik has some kind of its own implementation, compatible only with Mikrotik, set SHA1.

on mikrotik in / IP / Routes did you add a route to the network 192.168.91.0/24 ?
https://habrahabr.ru/post/216215/
does zyxel have access via ssh/telnet or how to use the command line to see the list of routes there?

There was a similar problem, it was solved by setting the route on Mikrotik (Dst-Remote sub Gate-LAN) and allowing packets from the local subnet to the remote one in the Zywall firewall