> From what I can see, I’m requesting --remote-identity vpnserver but the
> server is choosing vpnserver1.
charon-cmd does not send the configured identity (i.e. it does not send
an IDr payload). The configured identity is only used to match against
the returned identity/certificate. This is basically as if you
configured rightid=%vpnserver in ipsec.conf. So the server is free to
select whichever config it wants (it will just use the first one
loaded), so if you have multiple matching configs (based on the IPs and
IKE version) with different identities this could be problematic.