One thing to check is that NAT-T is enabled, a symptom we have seen is that the tunnel can be established but the client cannot decrypt traffic. Sometimes this problem resolves itself after 180seconds and packets start to get decrypted at the client....