debian ikev2-vpn ipsec

Привет.
Система Debian 11

ipsec version
Linux strongSwan U5.9.1/K5.10.0-27-amd64

Настраиваю vpn для себя.
Получил сертификат от letsencrypt

certbot certonly --standalone -d ikev2.mydom.net

скопировал серфтикат

cp /etc/letsencrypt/live/ikev2.mydom.net/privkey.pem /etc/ipsec.d/private/
cp /etc/letsencrypt/live/ikev2.mydom.net/cert.pem /etc/ipsec.d/certs/
cp /etc/letsencrypt/live/ikev2.mydom.net/chain.pem /etc/ipsec.d/cacerts/
cp /etc/letsencrypt/live/ikev2.mydom.net/fullchain.pem /etc/ipsec.d/certs

# find /etc/ipsec.d/ -name '*.pem' -type f -exec chmod 600 {} \;

Пример.

# ls -al /etc/ipsec.d/private/
-rw-------  1 root root 1704 Jan 20 08:17 privkey.pem

/etc/sysctl.conf
net.ipv4.tcp_syncookies=1
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_no_pmtu_disc=1

Настройка ipsec

# egrep -v '^$|^#' /etc/ipsec.conf 
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no
conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@ikev2.mydom.net
    leftcert=cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=192.168.134.0/24
    rightdns=8.8.4.4,8.8.8.8
    rightsendcert=never
    eap_identity=%identity

cat /etc/ipsec.secrets
: RSA "privkey.pem"
73rrr_us01 : EAP "Y7gYjEEtlJ6rZbY2hCz5nD2Gm1DLGy4qxGTYP1MNJk"
13barbos24 : EAP "jC92f7Zm16AjcEo3N6zJ1Uc0Wn"

/root/ipsec
iptables --table nat --append POSTROUTING --jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart

Вижу есть есть правила в iptables насчет маскарада.

COMMIT
# Completed on Sat Jan 20 16:26:28 2024
# Generated by iptables-save v1.8.7 on Sat Jan 20 16:26:28 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Sat Jan 20 16:26:28 2024

Общие правила iptables.

# iptables -nvL
Chain INPUT (policy DROP 491 packets, 18776 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 1090 80241 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    60 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW tcp flags:0x12/0x12 reject-with tcp-reset
    2   720 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:4500
    2  1360 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
    5   212 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    3   120 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80      

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 759 packets, 131K bytes)
 pkts bytes target     prot opt in     out     source               destination      

Пробую использовать впн на телефоне андройд 14.
Подключается но интернета нет.
Что я делаю не так?