[strongSwan] Starting Strongswan after reboot on "quirky" network (auto=route NOT working issue)

[Tick Tock]

Hello!

I have a problem.

I need to start strongswan tunnel to remote server in a situation when the
physical internet access (not the eth0 being formally "up" but actual
ability to ping the server) may become available an unpredictable (and
usually long, 8-12 seconds, but up to 40) time after the machine (re)boots

The config that works AFTER the server is pingable is as follows:
-----
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    # strictcrlpolicy=yes
    # uniqueids = no

# Add connections here.

# Sample VPN connections omitted

conn hide

  forceencaps = yes
  keyexchange=ikev2
  keyingtries = %forever
  dpdaction=clear
  dpddelay=300s
  eap_identity=REDACTED
  leftauth=eap-mschapv2
  left=%defaultroute
  leftfirewall = yes
  leftsourceip=%config
  right=free-nl.hide.me
  rightauth=pubkey
  rightsubnet=0.0.0.0/0
  rightid=%any
  type=tunnel
  auto=add


include /var/lib/strongswan/ipsec.conf.inc
-----

this one can be started by sudo ipsec up hide without issue, but ONLY after
the server is already pingable.

Now, upon reading docs and googling, I decided to try replacing
  auto=add
with
  auto=route

(I did a full sudo ipsec restart after changing config)

This has not lead to a positive effect.
Even after connection is definitely working and server is pingable,
absolutely no connection is established.
Even opening a browser on the machine and navigating somewhere does not
trigger it. Waiting for a whole minute and outright downloading a 1 MB file
still does not trigger it.

The machine is behind a NAT (as obvious from working config)

Platform is Debian 8

Please help :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170130/2c2a3889/attachment.html>