[strongSwan] Win 8.1 fails to connect - error 809 - fragmentation problem?

Sun Jun 7 22:30:24 CEST 2015

Hi!

I am using a Windows 8.1 client (its behind a NAT IPv4 router)
and trying to connect to my StrongSwan server, installed on my root 
server.
But this is failing, because Windows reports error 809.

My StrongSwan configuration is:
config setup
         charondebug="cfg 0, dmn 2, ike 2, net 2, lib 3"

conn %default
         dpdaction=clear
         dpddelay=60s
         esp=sha512-modp4096
         fragmentation=yes
         ike=sha512-modp4096
         keyexchange=ikev2
         mobike=yes

conn roadwarrior
         auto=add
         eap_identity=%any
         fragmentation=yes
         left=%any
         leftauth=pubkey
         leftcert=server.crt
         leftsubnet=0.0.0.0/0,::/0
         leftid="C=xx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=xxx, E=xxx"
         right=%any
         rightauth=eap-mschapv2
         rightsourceip=192.168.164.0/24

So, I've started to capture packets. What I can see:

Windows 8.1 client:
It sends IKE_SA_INIT and gets an response
After this, it sends IKE_AUTH and retries? two times again.
-> https://www.bl4ckb0x.de/client.bin

Linux IPv4 NAT router, to which the windows 8.1 client is connected:
IKE_SA_INIT is send to server, response received and forwarded to 
client.
But I don't see anymore the IKE_AUTH. I can only see three times 
fragmentation. Are these the IKE_AUTH packets?
-> https://www.bl4ckb0x.de/router.client.bin

StrongSwan server on the internet:
IKE_SA_INIT is received and replied back.
IKE_AUTH never arrives. Not even a fragmented packet.
-> https://www.bl4ckb0x.de/server.bin

So, is this a problem of fragmented packets? If so, what can I do? 
fragmentation=yes is at least set. I am unsure, which part causes that 
fragmentation?

Any ideas?

Thanks!
Conrad