[strongSwan] no matching peer config found

[Christian Salway]

Version: strongSwan 5.6.2 using swanctl
I am trying to re-use settings so that just the certificate is different 
(vpnserver uses ECDSA, vpnsever1 uses RSA), which according to the help page 
[1] should be possible:
"connections.<conn>.local<suffix> sectionSection for a local authentication 
round. A local authentication round defines the rules how authentication is 
performed for the local peer. Multiple rounds may be defined to use IKEv2 RFC 
4739 Multiple Authentication or IKEv1 XAuth.Each round is defined in a section 
having local as prefix, and an optional unique suffix. To define a single 
authentication round, the suffix may be omitted."
However, when I connect from OSX (using Local ID = vpnserver1), strongSwan 
doesn't match to a local peer.
May  1 21:17:10 09[CFG] looking for peer configs matching 
10.0.5.202[vpnserver1]...86.2.58.36[192.168.0.31]May  1 21:17:10 09[CFG] peer 
config match local: 0 (ID_FQDN -> 76:70:6e:73:65:72:76:65:72:31)May  1 21:17:10 
09[CFG] peer config match remote: 1 (ID_IPV4_ADDR -> c0:a8:00:1f)May  1 
21:17:10 09[CFG] ike config match: 28 (10.0.5.202 86.2.58.36 IKEv2)May  1 
21:17:10 09[CFG] no matching peer config found
I have tried prefixing fqdn:vpnserver1, @vpnserver1, I have even tried by IP 
addresses on both the private IP and public IP (adding them in to the 
certificates as both DNS:x.x.x.x and IP:x.x.x.x - not shown in the certs below 
as I removed them after trying)

When I connect from Windows which uses ID_ANY, it picks the first one in the 
list "local" (as expected).

```
connections {   default {      version = 2      send_cert = always      encap = 
yes      pools = pool1      unique = replace      local {         id = 
vpnserver         certs = vpnserver.crt      }      local1 {        id = 
vpnserver1        certs = vpnserver1.crt      }      remote {         auth = 
eap-mschapv2         eap_id = %any         #revocation = strict  # OCSP must be 
running      }      children {         net {            local_ts = 10.0.0.0/20  
          inactivity = 1h         }      }   }}```
```List of X.509 End Entity Certificates
  subject:  "CN=vpnserver1"  issuer:   "CN=Root CA"  validity:  not before May 
01 17:18:52 2018, ok             not after  May 31 17:18:52 2019, ok (expires 
in 394 days)  serial:    c2:79:0c:c6:8b:27:50:6a  altNames:  vpnserver1  flags: 
    serverAuth ikeIntermediate   OCSP URIs: http://127.0.0.1:2560  authkeyId: 
ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50  subjkeyId: 
98:e8:e0:53:18:0a:d4:1c:38:40:23:ed:1b:3f:a3:13:53:e9:1d:09  pubkey:    RSA 
2048 bits, has private key  keyid:     
ff:b9:af:34:56:ec:7b:33:e5:3f:67:35:43:1d:98:61:ca:73:bf:b1  subjkey:   
98:e8:e0:53:18:0a:d4:1c:38:40:23:ed:1b:3f:a3:13:53:e9:1d:09
  subject:  "CN=vpnserver"  issuer:   "CN=Root CA"  validity:  not before May 
01 14:33:35 2018, ok             not after  May 31 14:33:35 2019, ok (expires 
in 394 days)  serial:    c2:79:0c:c6:8b:27:50:69  altNames:  vpnserver  flags:  
   serverAuth ikeIntermediate   OCSP URIs: http://127.0.0.1:2560  authkeyId: 
ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50  subjkeyId: 
52:8e:b0:37:4f:ef:c5:79:43:8f:e1:29:6d:0b:cf:6a:65:58:b3:35  pubkey:    ECDSA 
384 bits, has private key  keyid:     
ef:5a:f5:de:7d:ab:a2:40:e5:53:27:0b:e8:2c:54:3f:28:e7:0c:c4  subjkey:   
52:8e:b0:37:4f:ef:c5:79:43:8f:e1:29:6d:0b:cf:6a:65:58:b3:35```
May  1 21:09:56 11[CFG] vici client 1 requests: load-connMay  1 21:09:56 
11[CFG]  conn default:May  1 21:09:56 11[CFG]   child net:May  1 21:09:56 
11[CFG]    rekey_time = 3600May  1 21:09:56 11[CFG]    life_time = 3960May  1 
21:09:56 11[CFG]    rand_time = 360May  1 21:09:56 11[CFG]    rekey_bytes = 
0May  1 21:09:56 11[CFG]    life_bytes = 0May  1 21:09:56 11[CFG]    rand_bytes 
= 0May  1 21:09:56 11[CFG]    rekey_packets = 0May  1 21:09:56 11[CFG]    
life_packets = 0May  1 21:09:56 11[CFG]    rand_packets = 0May  1 21:09:56 
11[CFG]    updown = (null)May  1 21:09:56 11[CFG]    hostaccess = 0May  1 
21:09:56 11[CFG]    ipcomp = 0May  1 21:09:56 11[CFG]    mode = TUNNELMay  1 
21:09:56 11[CFG]    policies = 1May  1 21:09:56 11[CFG]    policies_fwd_out = 
0May  1 21:09:56 11[CFG]    dpd_action = clearMay  1 21:09:56 11[CFG]    
start_action = clearMay  1 21:09:56 11[CFG]    close_action = clearMay  1 
21:09:56 11[CFG]    reqid = 0May  1 21:09:56 11[CFG]    tfc = 0May  1 21:09:56 
11[CFG]    priority = 0May  1 21:09:56 11[CFG]    interface = (null)May  1 
21:09:56 11[CFG]    mark_in = 0/0May  1 21:09:56 11[CFG]    mark_in_sa = 0May  
1 21:09:56 11[CFG]    mark_out = 0/0May  1 21:09:56 11[CFG]    inactivity = 
3600May  1 21:09:56 11[CFG]    proposals = 
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQMay
  1 21:09:56 11[CFG]    local_ts = 10.0.0.0/20May  1 21:09:56 11[CFG]    
remote_ts = dynamicMay  1 21:09:56 11[CFG]    hw_offload = 0May  1 21:09:56 
11[CFG]    sha256_96 = 0May  1 21:09:56 11[CFG]   version = 2May  1 21:09:56 
11[CFG]   local_addrs = %anyMay  1 21:09:56 11[CFG]   remote_addrs = %anyMay  1 
21:09:56 11[CFG]   local_port = 500May  1 21:09:56 11[CFG]   remote_port = 
500May  1 21:09:56 11[CFG]   send_certreq = 1May  1 21:09:56 11[CFG]   
send_cert = CERT_ALWAYS_SENDMay  1 21:09:56 11[CFG]   mobike = 1May  1 21:09:56 
11[CFG]   aggressive = 0May  1 21:09:56 11[CFG]   dscp = 0x00May  1 21:09:56 
11[CFG]   encap = 1May  1 21:09:56 11[CFG]   dpd_delay = 0May  1 21:09:56 
11[CFG]   dpd_timeout = 0May  1 21:09:56 11[CFG]   fragmentation = 2May  1 
21:09:56 11[CFG]   unique = UNIQUE_REPLACEMay  1 21:09:56 11[CFG]   keyingtries 
= 1May  1 21:09:56 11[CFG]   reauth_time = 0May  1 21:09:56 11[CFG]   
rekey_time = 14400May  1 21:09:56 11[CFG]   over_time = 1440May  1 21:09:56 
11[CFG]   rand_time = 1440May  1 21:09:56 11[CFG]   proposals = 
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
 
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048May
  1 21:09:56 11[CFG]   local:May  1 21:09:56 11[CFG]    id = vpnserverMay  1 
21:09:56 11[CFG]   local:May  1 21:09:56 11[CFG]    id = vpnserver1May  1 
21:09:56 11[CFG]   remote:May  1 21:09:56 11[CFG]    eap_id = %anyMay  1 
21:09:56 11[CFG]    eap-type = EAP_MSCHAPV2May  1 21:09:56 11[CFG]    class = 
EAPMay  1 21:09:56 11[CFG] added vici connection: default

[1] https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf