[strongSwan] understanding %fromcert

[Daniel Pocock]

Hi,

I notice the ipsec.conf man page found in Google states that %fromcert
uses the DN:

http://linux.die.net/man/5/ipsec.conf

while the wiki page doesn't mention %fromcert but talks about "%":

http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

Can somebody clarify this?  In particular, if there is both a DN and one
or more subjectAltName values, how does it choose which one to send? 
Will it try them all?

Regards,

Daniel