It would be nice to be able to define the acceptable EAP identity for remote-access clients:
set vpn ipsec remote-access connection example-conn authentication eap-id EXAMPLE.EAP.ID
Setting the EAP ID would need to update the connection entry in swanctl.conf to replace the default %any with the specified ID
remote { auth = eap-tls eap_id = %any } remote { auth = eap-tls eap_id = "EXAMPLE.EAP.ID" }