strongSwan server with Windows 7 clients doesn't route traffic

I finally have this working, thanks to help from @ecdsa here and some help from the #strongswan irc channel.

  1. My VPN client's route rules were incomplete. I needed to add both of these rules:

    route add 172.16.1.15/32 10.127.0.1
    route add 172.16.0.0/17 172.16.1.15
    

    The first one adds a route for the VPN server's private IP address, specifying my client's VPN-assigned IP address as the gateway to it (route print will then display this as being on-link AKA local to that interface). The second one does what I was trying to do with the route rule in my question - it adds a route for the whole private network, specifying the VPN server as the gateway.

  2. I needed to specify leftsubnet=172.16.0.0/17 on the server, or else IPsec policy wouldn't permit traffic to the subnet no matter what the routes were.

  3. I needed to specify leftfirewall=yes on the server so that it would insert appropriate rules into iptables.

  4. I needed to disable "source/dest check" on my Amazon instance. While I had allowed traffic from my VPN subnet to/from the security groups in the Amazon VPC dashboard, I didn't realize there was another setting. On the EC2 dashboard, you can right click on an instance and go to "Change source/dest check". This check is enabled by default and prevented my VPN traffic from ever leaving the VPN server (and it prevented traffic from other VPC hosts to my VPN subnet from entering the VPN server).