Hi Kostya, > It seems to me that at this point the server should already know which > connection "block" it's dealing with
It doesn't. At that point (IKE_SA_INIT response) it only has IP addresses to select an initial partial config, that is, there is no peer config with identities and certs yet. > Also does the above mean that either client can authenticate through either > CA cert, even the other connection's? No. If the client's certificate is issued by a CA that's not allowed, the connection gets switched, or the client is rejected if no config matches. Regards, Tobias
