Hi Jody,
It apparently can see the authentication and says it’s good
It doesn't, only its own authentication is successful (read the log more closely). For the client, it requests EAP authentication in the IKE_AUTH response, but since there never is a follow up IKE_AUTH request, the IKE_SA is not completed and gets destroyed after a while.
Either the client doesn't like the server certificate (e.g. because it's expired or it doesn't trust the issuing CA - or a required intermediate CA certificate is missing -, the identity, i.e. server IP, seems to be fine and match the certificate as the server uses that itself), or it doesn't receive the IKE_AUTH response at all (while it is fragmented into two fragments, the first might still be too large, reducing charon.fragment_size might help).
Regards, Tobias
