No seu ipsec.conf
log você tem
rightsubnet=192.168.1.1/24
Isso deve ser
rightosourceip=192.168.1.1/24
left / rightsubnet está documentado como
left|rightsubnet = [[]][,...]
private subnet behind the left participant, expressed as network/netmask; if omitted, essentially assumed to be left/32|128, signifying that the left|right end of the connection goes to the left|right participant only. The configured subnets of the peers may differ, the protocol narrows it to the greatest common subnet. Since 5.0.0 this is also done for IKEv1, but as this may lead to problems with other implementations, make sure to configure identical subnets in such configurations. IKEv2 supports multiple subnets separated by commas, IKEv1 only interprets the first subnet of such a definition, unless the Cisco Unity extension plugin is enabled (available since 5.0.1).
Since 5.1.0 the optional part after each subnet enclosed in square brackets specifies a protocol/port to restrict the selector for that subnet. Examples: leftsubnet=10.0.0.1[tcp/http],10.0.0.2[6/80] or leftsubnet=fec1::1[udp],10.0.0.0/16[/53]. Instead of omitting either value %any can be used to the same effect, e.g. leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53]
The port value can alternatively take the value %opaque for RFC 4301 OPAQUE selectors, or a numerical range in the form 1024-65535. None of the kernel backends currently supports opaque or port ranges and uses %any for policy installation instead.
Instead of specifying a subnet, %dynamic can be used to replace it with the IKE address, having the same effect as omitting left|rightsubnet completely. Using %dynamic can be used to define multiple dynamic selectors, each having a potentially different protocol/port definition.
Considerando que rightsourceip
está documentado como
rightsourceip = %config | / | %poolname
The internal source IP to use in a tunnel for the remote peer. If the value is config on the responder side, the initiator must propose an address which is then echoed back. Also supported are address pools expressed as / or the use of an external IP address pool using %poolname where poolname is the name of the IP address pool used for the lookup (see virtual IP for details). Since 5.0.1 a comma-separated list of IP addresses / pools is accepted, for instance, to define pools of different address families.