Finally found a rather awkward workaround:
1) On the VPN GW, set an ip alias from a different subnet
(192.168.100.1/24) on the primary interface
2) Set up iked.conf with
ikev2 ...
from 0.0.0.0/0 to 192.168.100.0/24
config address 192.168.100.0/24
config address 192.168.100.2
(yes, both ...)
3) On the client, configure tunnel mode instead of transport mode,
configure remote subnet to be 192.168.100.0/24, but still request ip
configuration from IKEv2.
When this comes up, the client gets two IP addresses (192.168.100.2 and
a random one from the same subnet, but strongswan fails if it is sent
the static one alone ...)
So now I can connect from the client (from its 192.168.100.2 address) to
the VPN GW (on its 192.168.100.1 alias) - which is what this was all
about (hence the transport mode).
As a by-note: It seems that iked, after authenticating the peer, always
sends the "to" address from iked.conf as TSi and the "from" address as
TSr in the IKE_AUTH response. In my understanding, this should be the
other way round.
Thanks for bearing with me :-)
krgds /markus
