Comment 3 for bug 1451091

The current version of Strongswan (5.1.2) does not work with newer versions of pfSense (Strongswan 5.3.2 based).
When using IPsec IKEv2/PSK the identity type is now prefixed leftid and rightid for better matching.
The change requires at least Strongswan 5.2.2 but newest upstream is 5.3.2.

Source: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

left|rightid = <id>

Since 5.2.2 it is possible to enforce a specific identity type. For this a prefix may be used, followed by a colon (:).
If the number sign (#) follows the colon, the remaining data is interpreted as hex encoding, otherwise the string is used as-is
as the identification data. Note that this implies that no conversion is performed for non-string identities.
For example, ipv4:10.0.0.1 does not create a valid ID_IPV4_ADDR IKE identity, as it does not get converted to binary
0x0a000001. Instead, one could use ipv4:#0a000001 to get a valid identity, but just using the implicit type with automatic
conversion is usually simpler. The same applies to the ASN.1 encoded types.
The following prefixes are known: ipv4, ipv6, rfc822, email, userfqdn, fqdn, dns, asn1dn, asn1gn and keyid.
Custom type prefixes may be specified by surrounding the numerical type value with curly brackets.