Goal: I have a scenario where I want to split traffic coming from clients connected to Router B (station) with destination clients connected to Router A (AP).

I have two subnets numbered #1 (172.16.1.0) and #3 (172.16.3.0) connected to Router B.
I have the same two subnets connected to Router A.
The wireless interfaces on both routers belong to subnet #3
Wireless link is established and connecting clients vice versa works. wireless interfaces and interfaces belonging to subnet #3 are bridged on both routers.
On top of that wireless link I configured an EOIP connection to connect subnet #1 behind both routers. The EOIP-Interfaces are bridged with the interfaces belonging to subnet #1. Connecting clients vice vers works.

Now I got stuck as I am trying to encrypt the subnet #1 traffic between the two routers with IPSec:
I configured peers on each router using subnet #1, connection is established.
I configured the policy using src and dst ip adress from subnet #1 and SA src and SA dst adress either from subnet #1, tunnel unchecked.
The Installed SA's come up on both routers, but traffic is not encrypted as the current bytes do not grow.
What is wrong?!?

Maybe with the explanation below my setup ist drafted more clearly:
So wireless connection is established between router A (172.16.3.252) and router B (172.16.3.253).
EOIP connection is established between router A (172.16.3.252) and router B (172.16.3.253).
EOIP is bridged with 172.16.1.252 on router A and with 172.16.1.253 on router B.
IPSec peer is established between 172.16.1.252 and 172.16.1.253.
IPSec policy is configured between 172.16.1.252 and 172.16.1.253.

Nobody?!?

... or did I do something wrong?