Hello Andreas Thank you for the clear explanation and example. General strongSwan question: Which among all certificates from "/etc/ipsec.d/cacerts/" strongSwan will choose to build the list of its trust anchors to be sent in its CERTREQ payload? Best Regards Mugur