Strongswan issues (UCI broken, manual setup)


I would rather use OpenVPN but due to having a device only supporting ipsec I'm stuck with strongswan but faced some issues.

The strongswan-mod-uci package is broken as of now, so in my attempt to establish the VPN tunnel, I modified the /etc/ipsec.conf and /etc/ipsec.secrets (using PSK) manually.

The tunnel is established, but there's 0 traffic going through.. eg see below output of ipsec statusall

root@LEDE:~# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.9.37, mips):
  uptime: 33 minutes, since Jul 17 05:09:23 2017
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Listening IP addresses:
        TPL2:  %any...yyy.yy.yyy.yyy  IKEv2
        TPL2:   local:  uses pre-shared key authentication
        TPL2:   remote: [yyy.yy.yyy.yyy] uses pre-shared key authentication
        TPL2:   child: === TUNNEL
Security Associations (1 up, 0 connecting):
        TPL2[150]: ESTABLISHED 18 minutes ago,[]...yyy.yy.yyy.yyy[yyy.yy.yyy.yyy]
        TPL2[150]: IKEv2 SPIs: 9c7aa6dbc017eda1_i 44af61441bfe8c77_r*, pre-shared key reauthentication in 2 hours
        TPL2[150]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
        TPL2{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c99b2d0d_i e6702f43_o
        TPL2{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 25 minutes
        TPL2{1}: === = local public IP
yyy.yy.yyy.yyy = remote public IP

With the connection above established, I don't see any new entries in routing table, route -n shows nothing extra after establishing the connection.

below is /etc/ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# strictcrlpolicy=yes
	# uniqueids = no

# Add connections here.

conn TPL2
	# this box

	# the remote box (TPL2)
	# connection settings

Firewall has required ports open:

config rule
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '4500'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'ah'

Thanks for any help.