IPsec Site-to-Site not sending expected certificate

[nightowleng]

Site A is configured to connect to Site B, using EAP TLS. On Site A, I have configured 'local auth' to use "VPN - Site A" certificate. 'remote' does not specify a certificate, but the ID is specified as Site B's domain.

Site B is configured to respond to inbound connections, again using EAP TLS. 'local auth' is configured to use "VPN - Site B" certificate. 'remote' again does not specify a certificate, but the ID is specified as Site A's domain.

Both 'VPN' certificates are issued by a local CA that is installed on both systems.

This worked perfectly fine, until recently (somewhere in the 23.1.x timeline, I'm currently on 23.1.9, I can't pinpoint a specific version after which it stopped working sadly). Now, when the connection is initiated, Site B receives an expired certificate.

Both sites have Let's Encrypt certs configured under the same domains used to connect over VPN. Both are actively renewed and are working as expected. But for some reason, Site A is sending an expired Let's Encrypt certificate, instead of the one I've configured.

There are two issues here:

• Why is it sending that certificate at all, when I believe I've configured it to use a specific, different certificate?
• Assuming it's because it's trying to match the DN instead of using what's configured, why is it using the expired one instead of the currently active instance?

Looking at swanctl.conf on disk, the cert is specified to use the correct certificate. I even found and removed the expired certificate from the x509 subdirectory - so I genuinely don't understand how it's even sending it. I assume it's coming from somewhere else.

Let me know what additional info would be helpful to diagnose, grateful for anything obvious I've missed or screwed up unintentionally!