you can add firewall rules that only allow set traffic in and out of the tunnel
0 20 #Allow any traffic within an IPSEC tunnel in both directions
0 21 pass break end oneroute any
this is from the default rules.
where your ipsec ia enabled you need to add firewall on
so to allow traffic to ssh over the tunnel would be something like
pass out break end oneroute from any to any port=22 inspect-state
you might only need to enable it on one end