Before the IPSec negotiation between the client and the gateway, there is an SSL handshake between them in order for the negotiation to be transferred over an encrypted link.
The gateway does not "know" that the SSL handshake is only an infrastructure for the IPSec negotiation, and it is treating it as Mobile Access. This is why it is presenting the Mobile Access certificate.
No fix is required; the system is functioning as designed.
The IPSec certificate (or the one selected for Remote Access clients) will be used during the IKE negotiation, as expected.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.