For ipsec to work, you should permit on linux:
500/udp
ESP protocol (--protocol esp -j ACCEPT)
4500/udp (optionally, if there's a NAT)
VPN tunnel come up but we cannot ping from host to host but if i allow any any on linux firewall, i can ping from host to host.
This means that untill you permit any any on linux, tunnel actually doesn't come up, cause if it did, linux firewall rules won't be applied to already encrypted traffic.