Ticket #1116: anonymous sainfo may be used only for single phase2 ipsec VPN's

2 files changed, 21 insertions, 3 deletions

diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc
index 332f300..2653297 100644
--- a/etc/inc/ipsec.inc
+++ b/etc/inc/ipsec.inc
@@ -469,4 +469,21 @@ function ipsec_mobilekey_sort() {
 	usort($config['ipsec']['mobilekey'], "mobilekeycmp");
 }
 
-?>
\ No newline at end of file
+function ipsec_get_number_of_phase2($ikeid) {
+	global $config;
+    	$a_phase2 = $config['ipsec']['phase2'];
+
+	$nbph2=0;
+
+    	if (is_array($a_phase2) && count($a_phase2)) {
+        	foreach ($a_phase2 as $ph2tmp) {
+            		if ($ph2tmp['ikeid'] == $ikeid) {
+				$nbph2++;
+			}
+		}
+	}
+
+	return $nbph2;
+}
+
+?>
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index a3b681a..0e172cc 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -636,11 +636,12 @@ EOD;
 
 						$localid_type = $ph2ent['localid']['type'];
 						$localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']);
-						/* Do not print localid in some cases, such as a pure-psk or psk/xauth mobile tunnel */
+						/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
 						if (($localid_type == "none") ||
 							(($ph1ent['authentication_method'] == "xauth_psk_server") ||
 							($ph1ent['authentication_method'] == "pre_shared_key"))
-							&& isset($ph1ent['mobile']))
+							&& isset($ph1ent['mobile'])
+							&& (ipsec_get_number_of_phase2($ikeid)==1))
 							$localid_spec = " ";
 						else {
 							if ($localid_type != "address") {