@jegr the new strongswan/pfsense version, in case of cert ipsec vpn, will look for a private key that corresponds exactly to the identifier

previouly this check wasn't done, in the previous version you can choose also the ip as identifier although it was not "stated" as CN or SAN in the cert used for authentication