StrongSwan 客户端连接失败，约束检查失败

客户端设备（运行 Windows 10 和 Android，带有 StrongSwan 应用程序）无法连接。证书由一个机构签署，CN 被设置为服务器公共 IP。这是 ipsec.conf：

config setup
include /var/lib/strongswan/ipsec.conf.inc

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    ike=aes128gcm16-sha2_256-prfsha256-ecp256!
    esp=aes128gcm16-sha2_256-ecp256!
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=18.193.252.13
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity

这是系统日志：

Feb 19 07:03:03 ip-172-26-11-47 charon: 10[NET] received packet: from 202.160.39.38[48240] to 172.26.11.47[500] (716 bytes)
Feb 19 07:03:03 ip-172-26-11-47 charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 19 07:03:03 ip-172-26-11-47 charon: 10[IKE] 202.160.39.38 is initiating an IKE_SA
Feb 19 07:03:03 ip-172-26-11-47 charon: 10[IKE] local host is behind NAT, sending keep alives
Feb 19 07:03:03 ip-172-26-11-47 charon: 10[IKE] remote host is behind NAT
Feb 19 07:03:03 ip-172-26-11-47 charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Feb 19 07:03:03 ip-172-26-11-47 charon: 10[NET] sending packet: from 172.26.11.47[500] to 202.160.39.38[48240] (264 bytes)
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[NET] received packet: from 202.160.39.38[39128] to 172.26.11.47[4500] (421 bytes)
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[IKE] initiating EAP_IDENTITY method (id 0x00)
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[IKE] peer supports MOBIKE
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[IKE] authentication of 'CN=public ip' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[IKE] sending end entity cert "CN=public ip"
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[ENC] splitting IKE message (1942 bytes) into 2 fragments
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[NET] sending packet: from 172.26.11.47[4500] to 202.160.39.38[39128] (1248 bytes)
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[NET] sending packet: from 172.26.11.47[4500] to 202.160.39.38[39128] (759 bytes)
Feb 19 07:03:04 ip-172-26-11-47 charon: 12[NET] received packet: from 202.160.39.38[39128] to 172.26.11.47[4500] (65 bytes)
Feb 19 07:03:04 ip-172-26-11-47 charon: 12[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Feb 19 07:03:04 ip-172-26-11-47 charon: 12[ENC] generating INFORMATIONAL response 2 [ N(AUTH_FAILED) ]
Feb 19 07:03:04 ip-172-26-11-47 charon: 12[NET] sending packet: from 172.26.11.47[4500] to 202.160.39.38[39128] (65 bytes)

并从 Android 设备记录：

Feb 19 09:27:42 00[DMN] Starting IKE service (strongSwan 5.9.1rc1, Android 8.0.0 - OPR1.170623.026/2019-04-01, LG-H930 - lge/joan_global_com/LGE, Linux 4.4.78-perf+, aarch64)
Feb 19 09:27:42 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Feb 19 09:27:42 00[JOB] spawning 16 worker threads
Feb 19 09:27:42 13[IKE] initiating IKE_SA android[10] to public ip
Feb 19 09:27:42 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 19 09:27:42 13[NET] sending packet: from 192.168.100.27[58880] to public ip[500] (716 bytes)
Feb 19 09:27:43 08[NET] received packet: from public ip[500] to 192.168.100.27[58880] (264 bytes)
Feb 19 09:27:43 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Feb 19 09:27:43 08[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
Feb 19 09:27:43 08[IKE] local host is behind NAT, sending keep alives
Feb 19 09:27:43 08[IKE] remote host is behind NAT
Feb 19 09:27:43 08[IKE] establishing CHILD_SA android{10}
Feb 19 09:27:43 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 09:27:43 08[NET] sending packet: from 192.168.100.27[55399] to public ip[4500] (421 bytes)
Feb 19 09:27:43 09[NET] received packet: from public ip[4500] to 192.168.100.27[55399] (1248 bytes)
Feb 19 09:27:43 09[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 09:27:43 09[ENC] received fragment #1 of 2, waiting for complete IKE message
Feb 19 09:27:43 10[NET] received packet: from public ip[4500] to 192.168.100.27[55399] (759 bytes)
Feb 19 09:27:43 10[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 09:27:43 10[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1942 bytes)
Feb 19 09:27:43 10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Feb 19 09:27:43 10[IKE] received end entity cert "CN=public ip"
Feb 19 09:27:43 10[CFG]   using trusted certificate "CN=public ip"
Feb 19 09:27:43 10[IKE] signature validation failed, looking for another key
Feb 19 09:27:43 10[CFG]   using certificate "CN=public ip"
Feb 19 09:27:43 10[CFG]   using trusted ca certificate "CN=public ip"
Feb 19 09:27:43 10[CFG] checking certificate status of "CN=public ip"
Feb 19 09:27:43 10[CFG] certificate status is not available
Feb 19 09:27:43 10[CFG]   reached self-signed root ca with a path length of 0
Feb 19 09:27:43 10[IKE] authentication of 'CN=public ip' with RSA_EMSA_PKCS1_SHA2_384 successful
Feb 19 09:27:43 10[CFG] constraint check failed: identity 'public ip' required 
Feb 19 09:27:43 10[CFG] selected peer config 'android' unacceptable: constraint checking failed
Feb 19 09:27:43 10[CFG] no alternative config found
Feb 19 09:27:43 10[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Feb 19 09:27:43 10[NET] sending packet: from 192.168.100.27[55399] to public ip[4500] (65 bytes)

这两台设备都曾与 StrongSwan 配合使用，我一年前就配置好了，一点问题都没有。这是 AWS 上的新 VM，实际上对于客户端设备，我刚刚更改了密码（根据新的 /ipsec.secrets）并相应地导入了新的 CA 证书。我的错误可能出在哪里？提前感谢大家。