Hi Micah, > 1. Can I configure the strongSwan server to force the clients to send > the FQDNs as identities?
No, that's a local decision. > 2. Alternatively, can I generate certificates differently to force the > clients to send the FQDNs as identities? Not that I'm aware. > 3. Am I misreading the documentation about rightid=%fqdn? If so, what > is it intended to do? It's mostly useful on clients to match the configured identity against SANs in the server certificate if the server uses the subject DN as identity. It doesn't change the IKE identity the peer sends. > 4. Can I avoid using two conn sections for each user somehow? If you want to match their identity, no. > 5. Even better, can I use a single conn section to match all users, > no matter their operating system, and enforce that they send their > client identifier to the DHCP server the same way? Have a look at  for my suggestion to Harald (who had a similar question) for a possible code modification to do this (i.e. get the client certificate, extract the first dNSName SAN and then forward that as host name in the DHCP request). Regards, Tobias  https://wiki.strongswan.org/issues/2581