On Sat, Feb 22, 2020 at 10:19:27AM +0100, Tobias Heider wrote: > This is not what dstid does. When setting 'dstid D.example.com' the policy > still > only applies if the peer sends 'D.example.com' as it's identity in the ID > payload. > Not setting dstid explicitly means iked will fall back to the value of "peer", > which in your case would be the same: "D.example.com". > > Setting dstid is only necessary if you are using the IP address in the > "peer" option but still want to use a FQDN as ID, which is really only the > case with certificate authentication where the ID must match the > subjectAltName. I can double check yet again, but I'm pretty sure that setting dstid was what made iked find the public key. So far, I have not used literal IPs in my configuration - that I know for sure.
Will test and verify before committing anything.
