How to allow only ssh and ftp over vpn tunnel between two TransPort WR11

you can add firewall rules that only allow set traffic in and out of the tunnel

0 20 #Allow any traffic within an IPSEC tunnel in both directions
0 21 pass break end oneroute any

this is from the default rules.
where your ipsec ia enabled you need to add firewall on

so to allow traffic to ssh over the tunnel would be something like

pass out break end oneroute from any to any port=22 inspect-state

you might only need to enable it on one end