Site LS has Kerio Control box, the connection was working fine with the default config with Linux IPSEC, but I'm trying to consolidate our Tomato router and Linux machine running ipsec.

This is the error message on my OpenWRT router:

ERROR: exchange Identity Protection not allowed in any applicable rmconf.

I confirmed that the mode is main, and even tried aggressive, but same results.
I have manually set IKE, KEYEXCHANGE, and ESP to match the other firewall (Kerio Control), but it still will not connect.   

I have even disabled the firewall in OpenWrt temporarily to test.

Here's an ipsec statusall

Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.18.20, armv7l):
  uptime: 111 seconds, since Nov 22 20:28:24 2017
  malloc: sbrk 233472, mmap 0, used 227464, free 6008
  worker threads: 9 of 16 idle, 7/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck uci addrblock unity
Listening IP addresses:
  192.168.2.20
  wan ip
  2603:3023:510:7600:4694:fcff:fe34:61b8
  2603:3023:510:7600::f5c2
  10.8.0.1
Connections:
          ls:  192.168.2.20...kerio firewall  IKEv1
          ls:   local:  [cbw] uses pre-shared key authentication
          ls:   remote: [control] uses pre-shared key authentication
          ls:   child:  192.168.2.0/24 === 192.168.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
          ls[1]: CONNECTING, 192.168.2.20[%any]...kerio firewall[%any]
          ls[1]: IKEv1 SPIs: 28c9e983e3c58168_i* 0000000000000000_r
          ls[1]: Tasks queued: QUICK_MODE
          ls[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD

Here's my ipsec.conf
config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

conn ls
        left=192.168.2.20
        leftsubnet=192.168.2.0/24
        leftid=cbw
        rightid=control
        right=kerio ip
        rightsubnet=192.168.1.0/24
        auto=start
        authby=secret
        keyexchange=ikev1
        ike=aes128-sha1-modp2048,3des-sha1-modp1536
        esp=aes128-sha1,3des-sha1