For the PKCS#12 file both absolute paths or paths relative to /etc/ipsec.d/private are accepted. If the container is encrypted, the passphrase must be defined. Instead of a passphrase %prompt can be used which then causes the daemon to ask the user for the password whenever it is required to decrypt the container.
Private keys, and client and CA certificates are extracted from the container. To use such a client certificate in a connection, set leftid to one of the subjects of the certificate.
This is available since 5.1.0.
: P12 <PKCS#12 file> [ <passphrase> | %prompt ]
: P12 moon.p12 "cjen4*lWnr3jsk"