Add an option to verify peers_identifier when it's ASN.1 distinguished name. It should fix #2904

1 files changed, 4 insertions, 0 deletions

diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index 62d997c..3a75c96 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -308,6 +308,7 @@ function vpn_ipsec_configure($ipchg = false)
 
 		/* begin racoon.conf */
 		$racoonconf = "";
+		$peerid_verify = "";
 		if ((is_array($a_phase1) && count($a_phase1)) || (is_array($a_phase2) && count($a_phase2))) {
 
 			$racoonconf .= "# This file is automatically generated. Do not edit\n";
@@ -607,6 +608,8 @@ function vpn_ipsec_configure($ipchg = false)
 					/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
 					if (!(($ph1ent['authentication_method'] == "pre_shared_key") && isset($ph1ent['mobile']))) {
 						$peerid_spec = "peers_identifier {$peerid_type} {$peerid_data};";
+						if (isset($ph1ent['verify_identifier']))
+							$peerid_verify = "verify_identifier on;";
 					}
 
 					/* add remote section to configuration */
@@ -619,6 +622,7 @@ remote {$rgip}
 	exchange_mode {$ph1ent['mode']};
 	my_identifier {$myid_type} {$myid_data};
 	{$peerid_spec}
+	{$peerid_verify}
 	ike_frag on;
 	generate_policy = {$genp};
 	initial_contact = {$init};