[strongSwan] strongswan doesn't route traffic

[oldkid]

Sorry to bother again, but I still can't get the routing working.
I run strongswan 5.8.1 on an Arch Linux server. I basically followed
strongswan's migration guide's configuration, and both Windows 10 and
strongswan Android client can connect to the server, but neither of
them route traffic. It's not encrypted even if I connect to my server
itself via http.
this is my current configuration:

connections {
    eap-ike {
        send_cert = always
        version = 2
        pools = virtualnet
        send_certreq = no
        proposals = default
        local {
            auth = pubkey
            certs = server.pem
            id = my-vpn-server.tld
        }
        remote {
            auth = eap-mschapv2
            eap_id = %any
        }
        children {
            vpn {
                esp_proposals = default
                updown = /usr/local/bin/_updown.in iptables
            }
        }
    }
}

secrets {
    eap-user {
        id = vpnuser
        secret = password
    }
}
pools {
    virtualnet {
        addrs = 192.168.25.0/24
    }
}

I think options like local_ts, remote_ts should be fine by default.
Anyway, nothing changes when I change them. The client gets
192.168.25.1/32 somehow and the server itself doesn't have an address
in this virtual network, therefore I don't even know what the gateway
should be if I'm to add a route on the client side manually.I'm not
sure if the updown script works. I grabbed it from strongswan's git
repository because it's not with Arch's package. But at this point, I
think I understand even less about IPsec. Can anyone please point out
what I'm doing wrong? Thanks in advance.