[strongSwan] Strongswan L2TP

[pavel at gradient54.ru]

Sorry for the stupid question. I need help in configuring
IOS --- L2TP/IPSEC ---server

Now I have:
-Debian7 server with Strongswan 5.0.4 source
-ios6 cisco client with authentication xuathrsasig ikev1
-IPSEC connection established succesfully

Question:
You can kill me, but i'm can't understand how to connect l2tp with ipsec 
in one action!
May be client must to make separately connections: fistr ipsec, second l2tp?

I'm in delusion. Where I'm wrong!? In what state l2tp

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup

conn ios
         keyexchange=ikev1
         authby=xauthrsasig
         xauth=server
         left=%defaultroute
         leftfirewall=yes
         leftcert=serverCert.pem
         right=%any
         rightsourceip=10.154.154.0/24
         auto=add
         rightid="C=RU, O=Office, CN=*"



ipsec_starter[4080]: Starting strongSwan 5.0.4 IPsec [starter]...
ipsec_starter[4101]: charon (4102) started after 20 ms
charon: 05[IKE] 10.54.1.1 is initiating a Main Mode IKE_SA
charon: 01[IKE] IKE_SA ios[1] established between 10.54.1.120[C=RU, 
O=Office, 10.54.1.1[C=RU, O=Gradient, CN=client]
charon: 04[IKE] CHILD_SA ios{1} established with SPIs c7f323b3_i 
07f741ea_o and TS 10.54.1.120/32 === 10.154.154.1/32

ping 10.154.154.1
PING 10.154.154.1 (10.154.154.1) 56(84) bytes of data.
64 bytes from 10.154.154.1: icmp_req=1 ttl=64 time=2437 ms
64 bytes from 10.154.154.1: icmp_req=2 ttl=64 time=1675 ms
64 bytes from 10.154.154.1: icmp_req=3 ttl=64 time=901 ms
64 bytes from 10.154.154.1: icmp_req=4 ttl=64 time=488 ms

-A INPUT -s 10.154.154.1/32 -d 10.54.1.120/32 -i eth0 -m policy --dir in 
--pol ipsec --reqid 2 --proto esp -j ACCEPT
-A OUTPUT -s 10.54.1.120/32 -d 10.154.154.1/32 -o eth0 -m policy --dir 
out --pol ipsec --reqid 2 --proto esp -j ACCEPT