The wording of Test 2 is confusing because it mentions the DN when in fact it does not technically require that "DN" be selected as an identifier.  Also, Test 4 lacks clarity.

For FCS_IPSEC_EXT.1.11:

Test 2 shall be rewritten as follows:

Test 2: The evaluator shall configure the TOE to use a private key and associated certificate signed by a trusted CA and shall establish an IPsec connection with the peer.

Test 4 shall be deleted.

Test 9 shall be modified as follows (modifications in bold):

Test 9 [conditional]: If the TOE supports DN identifier types, the evaluator shall configure the peer's reference identifier on the TOE (per the administrative guidance) to match the subject DN in the peer's presented certificate and shall verify that the IKE authentication succeeds. To demonstrate a bit-wise comparison of the DN, the evaluator shall change a single bit in the DN (preferably, in an Object Identifer (OID) in the DN) and verify that the IKE authentication fails. To demonstrate a comparison of DN values, the evaluator shall change any one of the four DN values and verify that the IKE authentication fails.

See issue description