Add details of XAUTH authentication. This is supposedly possible by adding xauth=yes to ipsec.conf. However, I've not got it to work yet.
With the config entry:
conn iketest left=172.16.3.18 leftsubnet=172.16.3.0/24 right=%any authby=secret xauth=yes auto=add
We get the following message logged in syslog when we try ike-scan --trans=5,1,65001,2 (65001 is XAUTH authentication method):
"iketest" 192.168.124.3 #1: policy does not allow Extended Authentication (XAUTH) of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD