If you are using leftrsasigkey=%cert this defines the certificate you would like to use. It should point to a X.509 encoded certificate file. If you do not specify a full pathname, by default it will look in /etc/ipsec.d/certs.
If smartcard is enabled in compile time, you can use %smartcard as the cert value. In most cases there is a single smartcard reader or cryptotoken and only one RSA private key safely stored on the crypto device. Thus the default entry
leftcert=%smartcard
which stands for the full notation
leftcert=%smartcard0:45
is sufficient. The general notation
leftcert=%smartcard<reader nr>:<PKCS#15 key id>
supports the simultaneous use of several smartcard readers and cryptotoken and can access multiple RSA private keys and corresponding X.509 certificates stored on a crypto device.
See also README.x509
