strongSwan

1) If I use leftauth=eap and rightauth=psk the connection fails because the server seems to provide by itself its certificate and strongswan client drops the connection since psk verification has not taken place (constraint requires pre-shared key authentication, but public key was used).

Since the combination of EAP with PSK authentication is not valid for IKEv2 (even though strongSwan supports it) it's likely that Windows does not actually do or support that.

2) If I use leftauth=eap and rightauth=pubkey (so I skip psk) strongswan verifies the server certificate, performs a successful EAP authentication (which works perfecty because if I change either the username or password an error is returned), but then another authentication is made which

No, no other authentication is made. The problem is this:

parsed IKE_AUTH response 5 [ N(FAIL_CP_REQ) ]

The error received is FAILED_CP_REQUIRED, i.e. the server complains that the client has not requested any configuration payloads (virtual IPs, DNS servers). So add leftsourceip=%config to request a virtual IP and DNS servers. You might also want to configure rightsubnet=0.0.0.0/0. An example Linux client configuration may be found at IKEv2ClientConfig.

In the log even though the EAP authentication is reported to be successful I can read: EAP-MS-CHAPv2 succeeded: '(null)', which seems quite strange (I would expect a non null string between quotes).

No that's quite common. The string is a welcome/information string which the server may optionally provide within the EAP-MSCHAPv2 protocol.

Ok with both leftsourceip and rightsubnet it connects and it does redirect all internet traffic to the vpn endpoint as I can see from a traceroute log. However there are a lot of issues:

1) internet navigation mainly does not work, the browser keeps waiting forever for most of the websites. I tried with a simple wget command to retrieve the main html webpage of a website (e.g. wget -S -T5 http://213.92.16.17), but it goes into timeout and no html headers are returned at all. I have included a wireshark capture (together with the strongswan log), there are some tcp errors in wireshark (unluckily the http request packet is not logged in wireshark - it logs only the encrypted esp payload, still wondering why - whereas the returned http response is logged, but it is empty - only tcp header). I have also tried with a direct telnet to port 80 of a website, the telnet client connects but whatever command I wrote the connection is always aborted (no response from web server).

2) Sometimes even the nslookup does not work (it depends on the connection, if you disconnect and reconnect it might not happen) and in any case wget provided with the direct ip address behaves in the same way as before. Sometimes even if nslookup works, wget is not able to resolve the domain name correctly and so ip address has to be used directly.

3) Very few times I managed to retrieve the google webpage.

Do you have any idea why this could happen ? In the strongswan log I found the following dubious entries:

1) Just after connecting there is an INFORMATIONAL re-request , whose response is retransmitted accordingly.

2) CHILD_SA ESP/0xc455b898/xx.yy.zz.ww not found for delete, after having received a XFRM_MSG_EXPIRE

3) CHILD_SA ESP/0xc2b66928/xx.yy.zz.ww not found for rekey, again after having received a XFRM_MSG_EXPIRE

The VPN provider states it supports both an IKEV2 and L2TP vpn (https://support.purevpn.com/vpn-servers) . I do not know if this could be a provider issue, but on Windows there isn't any issue with the same vpn (I am quite sure it's a Windows 2008 server). If you are interested in debugging this vpn I can "borrow" you my credentials for some time.

compile@LupinIII-LINUX:~/strongswan-5.3.5$ traceroute www.google.com
traceroute to www.google.com (66.102.1.103), 30 hops max, 60 byte packets
 1  swe-net-ip.as51430.net (37.46.122.3)  38.872 ms  40.513 ms  40.892 ms
 2  nld-net-ip.as51430.net (79.142.74.3)  40.837 ms  40.743 ms  41.060 ms
 3  nld-net-ip.as51430.net (37.46.123.249)  40.867 ms * *
 4  178.21.17.20 (178.21.17.20)  43.574 ms  43.915 ms  43.799 ms
 5  core1.ams.net.google.com (80.249.208.247)  68.046 ms  69.440 ms  68.107 ms
 6  209.85.143.181 (209.85.143.181)  43.607 ms  40.821 ms 209.85.143.183 (209.85.143.183)  45.591 ms
 7  209.85.248.247 (209.85.248.247)  45.476 ms 209.85.255.41 (209.85.255.41)  44.992 ms 209.85.255.49 (209.85.255.49)  45.577 ms
 8  216.239.41.95 (216.239.41.95)  74.613 ms 216.239.41.116 (216.239.41.116)  53.009 ms 216.239.40.253 (216.239.40.253)  48.398 ms
 9  66.249.95.250 (66.249.95.250)  48.324 ms 209.85.251.231 (209.85.251.231)  48.229 ms 72.14.236.139 (72.14.236.139)  47.782 ms
10  * * *
11  wb-in-f103.1e100.net (66.102.1.103)  48.289 ms  45.096 ms  45.076 ms

compile@LupinIII-LINUX:~$ nslookup www.repubblica.it
Server:        37.46.122.62
Address:    37.46.122.62#53

Non-authoritative answer:
Name:    www.repubblica.it
Address: 213.92.16.171
Name:    www.repubblica.it
Address: 213.92.16.191

compile@LupinIII-LINUX:~$ wget -S -T5 http://www.repubblica.it
--2016-02-05 17:02:42--  http://www.repubblica.it/
Resolving www.repubblica.it (www.repubblica.it)... failed: Connection timed out.
wget: unable to resolve host address ‘www.repubblica.it’

compile@LupinIII-LINUX:~$ wget -S -T5 http://213.92.16.191
--2016-02-05 17:02:50--  http://213.92.16.191/
Connecting to 213.92.16.191:80... connected.
HTTP request sent, awaiting response... Feb  5 17:02:52 LupinIII-LINUX charon: 14[KNL] querying policy 37.46.122.26/32 === 0.0.0.0/0 out  (mark 0/0x00000000)
Read error (Connection timed out) in headers.
Retrying.

--2016-02-05 17:02:56--  (try: 2)  http://213.92.16.191/
Connecting to 213.92.16.191:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed out) in headers.