linux

Why is the subnet not available through the IPsec tunnel between linux and MikroTik?

Good afternoon,
The problem I'm trying to solve is to make a subnet available in the cloud (10.21.21.0/24) for devices connected to the Mikrotik router in the office (192.168.1.0/24).
Mikrotik
router with latest firmware 6.37.3
Public IP: 1.1.1.1
Office IP: 192.168.1.1
CentOS 7 with openswan
Public IP: 2.2.2.2
Cloud IP: 10.21.21.6
cat /etc/ipsec.conf

config setup
       	plutodebug=all
     	plutostderrlog=/var/log/pluto.log
        nat_traversal=yes
  protostack=netkey
  keep_alive=60
  oe=off
conn mikrotik
        	type=tunnel
        	disablearrivalcheck=no
        	authby=secret
        	esp=aes-sha1
        	ike=3des-md5-modp1024
        	ikelifetime=1h
        	salifetime=1h
        	keyexchange=ike
        	pfs=no
        	forceencaps=yes
        	auto=start
        	left=2.2.2.2
        	leftsourceip=10.21.21.6
        	leftsubnet=10.21.21.0/24
                right=1.1.1.1
      	        rightsubnet=192.168.1.0/24

On the router

/ip ipsec peer add address=2.2.2.2 enc-algorithm=3des generate-policy=port-override hash-algorithm=md5 lifetime=1h secret=MYSECRETPASSWORD
/ip firewall nat add chain=srcnat dst-address=10.21.21.0/24 src-address=192.168.1.0/24  place-before=0

ipsec auto status

000 Connection list:
000
000 "mikrotik": 10.21.21.0/24===2.2.2.2<2.2.2.2>...1.1.1.1<1.1.1.1>===192.168.1.0/24; erouted; eroute owner: #149
000 "mikrotik":     oriented; my_ip=10.21.21.6; their_ip=unset
000 "mikrotik":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]
000 "mikrotik":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "mikrotik":   labeled_ipsec:no;
000 "mikrotik":   policy_label:unset;
000 "mikrotik":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "mikrotik":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "mikrotik":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "mikrotik":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "mikrotik":   conn_prio: 24,24; interface: ens18; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "mikrotik":   dpd: action:hold; delay:0; timeout:0; nat-t: force_encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "mikrotik":   newest ISAKMP SA: #150; newest IPsec SA: #149;
000 "mikrotik":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2)
000 "mikrotik":   IKE algorithms found:  3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "mikrotik":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "mikrotik":   ESP algorithms wanted: AES(12)_000-SHA1(2)_000
000 "mikrotik":   ESP algorithms loaded: AES(12)_000-SHA1(2)_000
000 "mikrotik":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<N/A>
000
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #150: "mikrotik":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2469s; newest ISAKMP; lastdpd=21s(seq in:0 out:0); idle; import:not set
000 #149: "mikrotik":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 983s; newest IPSEC; eroute owner; isakmp#148; idle; import:admin initiate
000 #149: "mikrotik" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761 Traffic: ESPout=618B ESPin=1KB! ESPmax=4194303B
000
000 Bare Shunt list:

After establishing a connection in a couple of minutes, a ping appears from 192.168.1.0/24 to 10.21.21.0/24, but apart from ping, nothing works, neither SSH nor WEB
. When connecting linux - linux with the same config for openswan, everything works.
What could be the problem?