Here are the relevant vpnd.elg logs from the [AU] process which i think is central to the issue, i think the key issue is that with ikev1 "ike_fetch_user" gets triggered (as it probably should?) whereas with ikev2 it does not :
With IKEv1 :
[vpnd 5963 4101797776]@FW1[3 Jan 15:26:10][AU] CAuthCertRules::GetUsernameFromCert (0xe82f7ab0): Extracted username from cert: CN=xyz,OU=users,O=MGMT..ctwkvh
[vpnd 5963 4101797776]@FW1[3 Jan 15:26:10] ike_fetch_user: Entering.
--snip-
[vpnd 5963 4101797776]@FW1[3 Jan 15:26:10] fetch_user_with_sr_info: requesting au_realm_fetchuser with groups
--snip-
[vpnd 5963 4101797776]@FW1[3 Jan 15:26:10] free_fetch_user_with_sr_info_opaque: Entering
[vpnd 5963 4101797776]@FW1[3 Jan 15:26:10] FwIkeP1FetchDaip: entering
[vpnd 5963 4101797776]@FW1[3 Jan 15:26:10] FwIkeP1FetchDaip: Identified DAG: 'Device_10.x.x.177' <-- The correct device is found and later changed in the tables with separate functions as indicated by logs
With IKEv2 :
[vpnd 5963 4101797776]@FW1[3 Jan 16:08:43][AU] CAuthCertRules::GetUsernameFromCert (0xe82f7ab0): Extracted username from cert: CN=xxx,OU=users,O=MGMT..ctwkvh
[vpnd 5963 4101797776]@FW1[3 Jan 16:08:43] fwCert_MatchAndSortCertsForVal: Peer certificate does not conform to matching criteria
[vpnd 5963 4101797776]@FW1[3 Jan 16:08:43][ikev2] ikeAuthExchange_r::validateCertPayload: validateCertificates returned -2
--snip-
[vpnd 5963 4101797776]@FW1[3 Jan 16:08:43][ikev2] ikeAuthExchange_r::validateCertPayload: validating cert payload failed.
[vpnd 5963 4101797776]@FW1[3 Jan 16:08:43][ikev2] Exchange::processPayloads: problem processing payload no. 2 of type Cert payload
[vpnd 5963 4101797776]@FW1[3 Jan 16:08:43][ikev2] Exchange::processPayloads: processPayloads returning initial status
[vpnd 5963 4101797776]@FW1[3 Jan 16:08:43][ikev2] ikeAuthExchange_r::postValiadatePayloads: enter with res = -4
[vpnd 5963 4101797776]@FW1[3 Jan 16:08:43][ikev2] Exchange::setStatus: Changing status from: initial to: doomed (final).. <-- the lookups are never done and the checkpoint replies with an AUTH FAIL