linux

Strongswan client linux configuration or what am I doing wrong?

strongswan server ipsec.conf

conn %default
        ikelifetime=3h
        keylife=20m
        rekeymargin=3m
        keyingtries=2
        mobike=no
conn win_ike2_domain
        left=%defaultroute
        leftauth=pubkey
        leftcert=vpnhost.pem                        # the host cert
        [email protected]            # the SAN (Alt name) in the Cert
        leftsubnet=0.0.0.0/0                        # The internal subnet the remote user wants to access
        right=%any                                  # Connections can come from anywhere
        rightauth=eap-radius
        rightsendcert=never
        rightsourceip=10.10.10.0/24                  # Use this pool of IPs to assign to these inbound connections
        auto=add
        eap_identity=%any
        keyexchange=ikev2
        fragmentation=yes
        dpdaction=clear

Radius - Windows 2012 Network Policy Server
The server certificate contains the SAN for this host issued to the dns.domain.name host, which is different from the dns of this host
. My Mac and Windows clients connect without problems.
There were two :D Linux users who couldn't.
How should strongswan's ipsec.conf configuration look like on the client side in case of my configuration?
the server is represented by a certificate. the client is represented by an EAP (domain account) registered in secrets.
What should ipsec.secrets look like?
login : EAP "password"
or
domain\login : EAP "password"
or
[email protected] : EAP "password"
Who faced a similar configuration, can you tell me the correct configuration of the
PS client part, you are primarily interested in console settings, integration with the network manager is not needed yet.
Maybe something else besides strongswan needs to be installed in Linux, which I don't suspect?