diff options
author | Matt Smith <mgsmith@netgate.com> | 2015-10-15 10:21:11 -0500 |
---|---|---|
committer | Matt Smith <mgsmith@netgate.com> | 2015-10-15 10:32:29 -0500 |
commit | cd4aa77ca3f6099c533800934efbb1496b9ff7e6 (patch) | |
tree | 46d3e1011bc396201775aef75f8aa45bad56335c | |
parent | b7e3ab94e2a7590d13354e75cf9e8ca036abedb9 (diff) | |
download | pfsense-cd4aa77ca3f6099c533800934efbb1496b9ff7e6.zip pfsense-cd4aa77ca3f6099c533800934efbb1496b9ff7e6.tar.gz |
Set rightca for IPsec phase 1 using Mutual RSA, Mutual RSA + xauth, or EAP-TLS. Fixes #5241.
-rw-r--r-- | etc/inc/vpn.inc | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 2d88814..9627a41 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -957,6 +957,21 @@ EOD; } } + if (!empty($ph1ent['caref'])) { + $ca = lookup_ca($ph1ent['caref']); + if ($ca) { + $casubarr = cert_get_subject_array($ca['crt']); + $casub = ""; + foreach ($casubarr as $casubfield) { + if (empty($casub)) { + $casub = "/"; + } + $casub .= "{$casubfield['a']}={$casubfield['v']}/"; + } + + } + } + $authentication = ""; switch ($ph1ent['authentication_method']) { case 'eap-mschapv2': @@ -981,6 +996,9 @@ EOD; $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; } } + if (isset($casub)) { + $authentication .= "\n\trightca=\"$casub\""; + } break; case 'eap-radius': if (isset($ph1ent['mobile'])) { @@ -1002,6 +1020,9 @@ EOD; if (!empty($ph1ent['certref'])) { $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; } + if (isset($casub)) { + $authentication .= "\n\trightca=\"$casub\""; + } break; case 'xauth_psk_server': $authentication = "leftauth = psk\n\trightauth = psk"; @@ -1015,6 +1036,9 @@ EOD; if (!empty($ph1ent['certref'])) { $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; } + if (isset($casub)) { + $authentication .= "\n\trightca=\"$casub\""; + } break; case 'hybrid_rsa_server': $authentication = "leftauth = pubkey\n\trightauth = xauth-generic"; |