The current version of Strongswan (5.1.2) does not work with newer versions of pfSense (Strongswan 5.3.2 based).
When using IPsec IKEv2/PSK the identity type is now prefixed leftid and rightid for better matching.
The change requires at least Strongswan 5.2.2 but newest upstream is 5.3.2.
Since 5.2.2 it is possible to enforce a specific identity type. For this a prefix may be used, followed by a colon (:).
If the number sign (#) follows the colon, the remaining data is interpreted as hex encoding, otherwise the string is used as-is
as the identification data. Note that this implies that no conversion is performed for non-string identities.
For example, ipv4:10.0.0.1 does not create a valid ID_IPV4_ADDR IKE identity, as it does not get converted to binary
0x0a000001. Instead, one could use ipv4:#0a000001 to get a valid identity, but just using the implicit type with automatic
conversion is usually simpler. The same applies to the ASN.1 encoded types.
The following prefixes are known: ipv4, ipv6, rfc822, email, userfqdn, fqdn, dns, asn1dn, asn1gn and keyid.
Custom type prefixes may be specified by surrounding the numerical type value with curly brackets.
The current version of Strongswan (5.1.2) does not work with newer versions of pfSense (Strongswan 5.3.2 based).
When using IPsec IKEv2/PSK the identity type is now prefixed leftid and rightid for better matching.
The change requires at least Strongswan 5.2.2 but newest upstream is 5.3.2.
Source: https:/ /wiki.strongswa n.org/projects/ strongswan/ wiki/ConnSectio n
left|rightid = <id>
Since 5.2.2 it is possible to enforce a specific identity type. For this a prefix may be used, followed by a colon (:).
If the number sign (#) follows the colon, the remaining data is interpreted as hex encoding, otherwise the string is used as-is
as the identification data. Note that this implies that no conversion is performed for non-string identities.
For example, ipv4:10.0.0.1 does not create a valid ID_IPV4_ADDR IKE identity, as it does not get converted to binary
0x0a000001. Instead, one could use ipv4:#0a000001 to get a valid identity, but just using the implicit type with automatic
conversion is usually simpler. The same applies to the ASN.1 encoded types.
The following prefixes are known: ipv4, ipv6, rfc822, email, userfqdn, fqdn, dns, asn1dn, asn1gn and keyid.
Custom type prefixes may be specified by surrounding the numerical type value with curly brackets.