IPsec sending all CA certs, even with PSK auth only

[mfedv]

Note: this does not prevent IPsec connection setup, it just inflates IKE_AUTH packages more than strictly necessary.

On one installation, for HTTPS reverse proxying I use os-acme plugin, starting with the staging environment, later switching to production environment. Also for OpenVPN I setup a local CA on the firewall.

Now I added an IPsec connection with PSK authentication, and now all three CA certs above are being used in IKE_AUTH messages:

Mar 22 17:54:08 OPNsense1 charon: 10[IKE] <con4|7> sending cert request for "CN=Fake LE Intermediate X1"
Mar 22 17:54:08 OPNsense1 charon: 10[IKE] <con4|7> sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Mar 22 17:54:08 OPNsense1 charon: 10[IKE] <con4|7> sending cert request for "C=DE, ST=Hessen, L=Darmstadt, O=MyCorp, E=tech@mycorp.corp, CN=MyCorp-OVPN-RootCA"
Mar 22 17:54:08 OPNsense1 charon: 10[IKE] <con4|7> authentication of 'a.b.c.d' (myself) with pre-shared key             
Mar 22 17:54:08 OPNsense1 charon: 10[IKE] <con4|7> establishing CHILD_SA con4{11}
Mar 22 17:54:08 OPNsense1 charon: 10[ENC] <con4|7> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

(it is con4 now not con1 because I have added some more PSK only connections to experiment with)

All three CA certs are in /usr/local/etc/ipsec.d/cacerts/. Strongswan adds them all to IKE_AUTH packages, although the config says leftauth=psk  / rightauth=psk.  Is this a bug in strongswan?

Still the GUI could perhaps be more selective in adding CA certs.
In /usr/local/etc/inc/plugins.inc.d/ipsec.inc at line 1093 it writes every CA cert from config.xml to /usr/local/etc/ipsec.d/cacerts/. At line 1117 it writes user/server certificates to /usr/local/etc/ipsec.d/certs, but only if they are referenced in any enabled phase1 definitions. Perhaps CA certs could be restricted the same way.