StrongSwan (as responder) selects a configured connection (conn section in ipsec.conf) for each incoming initiator key exchange intent.
At which times does strongSwan pick a connection configuration? Does it narrow possible connections one-by-one based on the knowledge gathered so far?
E.g. in an IKEv2-exchange, the first packet does not contain the identifier (“rightid”) yet, but connections with keyexchange=ikev1 are out of the question already.
The first response (in case no cookies are involved) should already indicate the algorithms selected for the IKE SA, so some connection has to be selected. How could strongSwan possibly do this at that point?
A preliminary configuration is selected based on the IP addresses (left|right) and the IKE version. The best match (or the first if multiple configurations match equally well) is used until the identities in the IKE_AUTH exchange are available.
Using the identities a switch to a different connection will occur based on the values in left|rightid (and again the IKE version). All matching connections are candidates (best match first) that might later be switched to e.g. based on the authentication rounds and constraints like rightca or rightgroups.