Help. Going nuts with IPsec IKEv2

Technical Support for Routers
1

I got this to establish a connection:

conn ws-ca 
      keyexchange=ikev2 
      dpdaction=restart 
      dpddelay=300s 
      eap_identity=MYUSERNAME
      leftauth=eap-mschapv2 
      left=%defaultroute 
      leftsourceip=%config 
# If I uncomment any of the next two lines, connection fails
#      leftfirewall=yes
#      leftsubnet=192.168.8.0/24
      right=ca.windscribe.com
      rightauth=pubkey 
      rightsubnet=0.0.0.0/0 
      rightid=%any 
      type=tunnel 
      auto=add

… but then I lose contact with the router.

2

Like to help, but don’t have experience in IPSec. We are doing some work now.