Multiple IKEv2 gateways in parallel

What I want to do:

• Have multiple IKEv2 gateways running in parallel named #1 and #2.
• Have multiple users with the same credentials sign into #1 to access one subnet
• Have one admin sign into #2 and access another subnet

Since using a IKEv2 certificate gateway fixes the servers' Local-ID-Type and Local-ID-Content to the certificates' Subject, you are left with only the Peer-ID to distinguish between requests to all gateways.

With only one gateway, I can set Peer-ID to “any” and then enter a unique sting for each client to have multiple clients connect to the gateway at the same time, receive a unique IP in the correct subnet and all is good.

When I add a second gateway, the Zyxel device (FLEX200) fails to distinguish between gateways when both gateways are using the same FQDN/DDNS hostname. So I made the second gateway use another FQDN/DDNS – which of cause resolves to the same WAN IP, but still gives a unique Local-ID-Content. At least so I thought…

Turns out, that the client still gets connected to the gateway with first precedence – deactivating that one will result in the second one working correctly.

Setting an email als Peer-ID on both gateways solves that, but also disconnects any user on a gateway, as soon as a second user connects to it, because the gateway has no way of distinguishing between users anymore.

The Peer-ID setting in the device only allows "any" or fixed values – no wildcards. Being able to enter *@myserver.com for example would be swell.

My further ideas to get what I need:

• Use a second WAN-IP – in fact this device will at some point be deployed with 4 static IPs on WAN1 and 1 or 2 static IPs on WAN2, so that will "auto-solve" my problem. But that's quite a luxurious position to be in, many folks have to cope with only one IP. That's also what i have to work with for now.
• Make gateway #2 take precendence over #1 and only accept one specific Peer-ID. Other requests should be handed down to the next gateway – which then accepts "any" as Peer-ID and thereby allows for multiple users. Doing that in the GUI is not possible, the only way is to edit/sort the startup-config. Or create the gateways in the required order and then hope this ordern never gets messed up.
• Use only one gateway and handle the admin user differently from regular users. I was hoping for a different subnet/zone/vlan as landing point and therby avoid having to configure Security Policies for that…

I really wonder, why the different Hostname / Local-ID doesn't work as expected. After all it has to match the cert?

Any ideas / input are welcome!