Tero, good ideas, one issue though:
4) When you receive certificate request you MUST send your own
certificate for that CA.
Your own IPSec policy typically includes what roots to use or what certs to send - so you have to enforce that, regardless of what the peer sends you. If the CRP's don't match the roots you are configured to use, then you are saying here you MUST fail. And that means that the peer MUST send a correct CRP for the credential you have - which of course isn't always possible.