Hi [sorry - previously replied to single poster, not the list]
Thanks for the pointer. I've got it working! The Cisco ASA appears to send the Distinguished Name as its identifier, so changing: id = vpntest.example.com to id = "C=UK, ST=Example, O=Example, OU=Example, CN=vpntest.example.com" Worked! The key to solving this is understanding what the remote end is sending, and this appears to vary depending on device. Hopefully this information will be useful to others too. Thanks Julian You are receiving this message from Capita Software. Should you wish to see how we may have collected or may use your information, or view ways to exercise your individual rights, see our Privacy Notice<https://www.capitasoftware.com/PrivacyNotice> This email is security checked and subject to the disclaimer on web-page: http://www.capita.co.uk/email-disclaimer.aspx
