Some questions about x.509 certificate au thenticate

On 192.168.10.10:
/etc/ipsec.d/certs/10.pem    --localhost's certificate
/etc/ipsec.d/certs/9.pem     --counterpart's certificate
/etc/ipsec.d/cacerts/cacert.pem
/etc/ipsec.d/private/10.key

 

ipsec.conf:
config setup
 interfaces="ipsec0=eth1"
conn test
 ;left=192.168.10.10
 leftcert=10.pem
 right=192.168.10.9
 rightcert=9.pem
 pfs=no
 ike=3des-md5-modp1536
 aggrmode=yes
 ;auto=add

 

     I use tcpdump to capture the data packet of IKE phase 1. I find that the two hosts don't exchange each other's certificate whether using main mode or aggressive mode. I mean they just exchange each other's the RDN sequence which is part of the x.509 certificate. They must store their counterpart's certificates in /etc/ipsec.d/certs dir. I GUESS that the hosts will lookup its counterpart's certificate in /etc/ipsec.d/certs/ dir using the RDN sequence. Then, they can get counterpart's public key. That's why they don't exchange public key during IKE phase 1 negotiation.

 ;

The question is:
1. Is what I guess right?
2. I use openswan in a embeded system. There are many clients with x.509 certificates. So, openswan must store lots of cetificates. But, there is not enough space in this embeded environment. Is there any good suggestion? 
3. For question 2, I want the openswan to store its own certificate only and get its counterparts' publick keys through IKE phase 1 negotiation. Therefore, it will save a lot storage space. Does this method work?

    ; I will really appreciate your reply and help~~~~~~~~

 ;