pfSense

Thanks for the report, I'll review.

Looks like left/rightcertpolicy is the only option here. Generally a non-issue because people generate a CA just for IPsec.

I don't understand what you mean. The problem is that even though you configure a remote identifier, which e.g. might restrict the client certificates used to ones matching a special pattern, the generated configuration does not include that setting at all. This used to work correctly in <2.2.

For example we have have one CA for the certificates but two gateways, and one should only accept certificates having a certain OU. After upgrading any certificate will work for any gateway.

Now I'm confused that I was looking at something different from what you were referring to. Could you share your 2.1.x config? Can email to cmb at pfsense dot org.

Don't have the 2.1 config around anymore, sorry. But I do not think it is necessary.

In
https://github.com/pfsense/pfsense/blob/31ae45d2535e73f58b307f18227ba29a9061d2af/etc/inc/vpn.inc#L836

we have

/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
$peerid_spec = '';
if (!isset($ph1ent['mobile'])) {

whereas in 2.1 the condition was

if (!(($ph1ent['authentication_method'] == "pre_shared_key") && isset($ph1ent['mobile']))) {

and as far as I can see the condition simply does not do what is stated in the comment (I don't really understand the rationale for the mobile/PSK exclusion either, but that's not the point here). That results in no rightid generated at all for a mobile clients tunnel which is bad as some people rely on this.