Bringing up libreswan ipsec tunnel ondemand fails

I’ve this (generally working) config for libreswan

conn work
    ikev2=insist

    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftid=me@my.comp.any
    leftmodecfgclient=yes

    right=81.81.81.81
    rightid=me@my.comp.any
    rightsubnet=192.168.0.0/24

    auto=ondemand
    authby=secret
    mobike=yes
    narrowing=yes
    dpddelay=30
    dpdtimeout=90
    dpdaction=restart

using the config value auto=add and the command ipsec auto --up work is confirmed to be working. Now I was trying the auto=ondemand setting, that should bring up the tunnel on the first package to the remote subnet. Issueing a ping to 192.168.0.132 causes libreswan to do something, but it does not complete, this is the syslog output:

audit: MAC_IPSEC_EVENT op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0.0.0.0 src_prefixlen=0 dst=192.168.0.0 dst_prefixlen=24
pluto[140534]: initiate on demand from 192.168.86.154:40488 to 192.168.0.132:1025 proto=17 because: acquire
pluto[140534]: cannot initiate connection for packet 192.168.86.154:40488 -> 192.168.0.132:1025 proto=17 - template conn

Since there is this suspect audit happening, I disabled SELinux enforcing but it didn’t change anything. There are no alerts in the SELinux Troubleshooter. Where do I find more information on what is going on?