Hi Aanand, > Can this capability be added in the next release?
The problem is that some implementations (including strongSwan with default settings) might not send a certificate back if they don't receive a matching certificate request. So disabling them will only work if the server behaves appropriately. Sending them all, by the way, is the same behavior seen with Windows' built-in IKEv2 client. And with IKEv2 fragmentation the size of the IKE_AUTH messages is not an issue anymore (if the server supports it, of course - since the Windows client does not support it, and does not allow selecting a single CA, it actually is a problem there). On the other hand, the iOS IKEv2 client does not send any certificate requests unless a specific CA is configured, therefore common server configs will probably force sending the server certificate anyway (in strongSwan via leftsendcert/send_cert=always). So maybe we could add an option to avoid sending certificate requests too, but the only use case I can see for this is reducing the size of the IKE_AUTH message with servers that (1) do not support fragmentation but (2) always send the certificate, and either the user doesn't know which CA certificate she has to select (otherwise selecting the right certificate should do the trick), or if more than one CA certificate is required when using EAP-TLS. However, for the latter we could also add an option to select an additional specific AAA CA certificate (together with the selected CA certificate for IKE that would then only add two certificate requests to IKE_AUTH). Regards, Tobias