Watching at the USG logs it seems to me that the authentication fail because it check against the first VPN Gateway that match the gateway interface address. So the fact that each VPN connection use the same gateway interface address, but a unique certificate, will make all clients auth fail except one.
I have tried to workaround this by using unique domain names (that point to the same ip address sure), but the issues does not change. The USG logs are pretty clear, and show that the destination (dst) used is still the ip address and not the domain name which could differentiate the request. It also highlight that the auth is against the wrong VPN gateway, and that's why it is rejected I think. trimmed log:
Feb 13 17:07:58 usg210 CEF: 0|ZyXEL|USG210|4.32(AAPI.0)|0|Access Control|9|src=194.240.xxx.xxx dst=79.xxx.xxx.59 spt=1011 dpt=500 msg=priority:48, from WAN to ZyWALL, UDP, service Default_Allow_WAN_To_ZyWALL, ACCEPT proto=17 app=Default_Allow_W
Feb 13 17:08:30 usg210 CEF: 0|ZyXEL|USG210||0|IKE|4|src=79.xxx.xxx.59 dst=194.240.xxx.xxx spt=4500 dpt=4500 msg=IKE SA [The-First-VPN-Gateway-That-Matches-dst] is disconnected
Is there a way to achieve what we are seeking for?
It would be great because, it would not only solve this issue for us, but also one other important, diversificate the permissions for each VPN client (eg. userA can access only the LAN1, userB can access LAN1 LAN2 ecc.)
Thank you for the attention , and for any help