Thanks for your feed back.
Because 'ip rule 220' means any packets which are not marked as 0xffffffff, will lookup table 220. So the packet to local network will also lookup table 220. That is why we cannot reach local network.
220: not from all fwmark 0xffffffff lookup 220
Maybe we can change the ipsec table 220 to main table 254. Then ipsec route table will not has higher priority than main table.