Hi Christian, > From what I can see, I’m requesting --remote-identity vpnserver but the > server is choosing vpnserver1.
charon-cmd does not send the configured identity (i.e. it does not send an IDr payload). The configured identity is only used to match against the returned identity/certificate. This is basically as if you configured rightid=%vpnserver in ipsec.conf. So the server is free to select whichever config it wants (it will just use the first one loaded), so if you have multiple matching configs (based on the IPs and IKE version) with different identities this could be problematic. Regards, Tobias