OK. Example peers.
0.0.0.0, server cert = "server" remote cert = "client1"
0.0.0.0, server cert = "server" remote cert = "client2"
Each will work fine by itself, but if you enable both, you get identity mismatches. I know years ago I was able to do this no problem (linux/freeswan). The only time you couldnt have multiple dynamic endpoints was if you were using shared key authentication. Its like MT is trying to force the clients to use the wrong peer definition.
BUT. I know when I did this before, I only needed one 0.0.0.0 line and a server cert and the remote cert was trusted based on the signing authority. It seems that is how it should work here, but when I manually add the peer in a terminal with no client cert, the connection errors out with no cert found.
Can anyone help?