Are there any strongswan experts here.... I'm just trying to get a Strongswan roadwarrior setup going that can be used from an android stock VPN client using IPSEC Xauth. (i've also tried from an IPAD with same user cert)

With a cert based auth, you can identify the road warrior client by ID_DER_ASN1_DN on the cert or by a san name.
So if the cert contains
Peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongswan, CN=MKpeer'

The conf file for that conn should match that to
rightid="C=CH, O=strongswan, CN=*"

That's right out of the strongswan guide. But no matter what I try, I can't get a match....

Jul 9 20:54:42 vpn-test2010-perimeter pluto[12686]: "rw-rsa-xauth"[1] 166.205.49.251:8348 #1: Peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongswan, CN=MKpeer'
Jul 9 20:54:42 vpn-test2010-perimeter pluto[12686]: "rw-rsa-xauth"[1] 166.205.49.251:8348 #1: crl not found
Jul 9 20:54:42 vpn-test2010-perimeter pluto[12686]: "rw-rsa-xauth"[1] 166.205.49.251:8348 #1: certificate status unknown
Jul 9 20:54:42 vpn-test2010-perimeter pluto[12686]: "rw-rsa-xauth"[1] 166.205.49.251:8348 #1: no suitable connection for peer 'C=CH, O=strongswan, CN=MKpeer'
Jul 9 20:54:42 vpn-test2010-perimeter pluto[12686]: "rw-rsa-xauth"[1] 166.205.49.251:8348 #1: sending encrypted notification INVALID_ID_INFORMATION to 166.205.49.251:8348

I've tried different CA's, ipsec pki tool, openssl, Microsoft CA.... All give me the exact same result.
I've redone the certs too many times, same result...

I've been trying every combination over days of this.... I must be missing something so simple.

Someone save my sanity please and explain to me what I'm doing wrong. Logs, configs, etc are all available upon request. .... I'll buy you a sixpack.