Move to specifically specifying the ID type apart when an ip address to have strongswan do proper behaviour. Also for DynDNS names use the dns type id so strongswan does the resolving by its own.

2 files changed, 35 insertions, 31 deletions

diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc
index eb527e0..2b33e57 100644
--- a/etc/inc/ipsec.inc
+++ b/etc/inc/ipsec.inc
@@ -616,39 +616,41 @@ function ipsec_find_id(& $ph1ent, $side = "local", $rgmap = array()) {
 			$addr = "%any";
 		else
 			$addr = $ph1ent['remote-gateway'];
-	} else {
+	} else
 		return array();
-	}
 
 
 	$thisid_type = $id_type;
 	switch ($thisid_type) {
-	case "myaddress":
-		$thisid_type = "address";
+	case 'myaddress':
+		$thisid_type = 'address';
 		$thisid_data = $addr;
 		break;
-
-	case "dyn_dns":
-		$thisid_type = "address";
-		$thisid_data = resolve_retry($id_data);
+	case 'dyn_dns':
+		$thisid_type = 'dns';
+		$thisid_data = $id_data;
 		break;
-
-	case "peeraddress":
-		$thisid_type = "address";
+	case 'peeraddress':
+		$thisid_type = 'address';
 		$thisid_data = $rgmap[$ph1ent['remote-gateway']];
 		break;
-
-	case "address";
+	case 'address';
 		$thisid_data = $id_data;
 		break;
-
-	case "fqdn";
-	case "keyid tag";
-	case "user_fqdn";
-	case "asn1dn";
+	case 'fqdn';
+		$thisid_data = "{$id_data}";
+		break;
+	case 'keyid tag';
+		$thisid_type = 'keyid';
+		$thisid_data = "{$thisid_data}";
+		break;
+	case 'user_fqdn';
+		$thisid_type = 'userfqdn';
+		$thisid_data = "{$id_data}";
+		break;
+	case 'asn1dn';
 		$thisid_data = $id_data;
-		if( $thisid_data )
-			$thisid_data = "{$thisid_data}";
+		$thisid_data = "{$id_data}";
 		break;
 	}
 	return array($thisid_type, $thisid_data);
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index d5775da..60a844f 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -478,14 +478,14 @@ EOD;
 				/* XXX" Traffic selectors? */
 				$pskconf .= " : RSA {$ph1keyfile}\n";
 			} else {
-				list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
-				list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
+				list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
+				list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
 
 				if (empty($peerid_data))
 					continue;
 
 				$myid = isset($ph1ent['mobile']) ? trim($myid_data) : "%any";
-				$peerid = ($peerid_data != "allusers") ? trim($peerid_data) : "";
+				$peerid = ($peerid_data != 'allusers') ? trim($peerid_data) : '';
 				if (!empty($ph1ent['pre-shared-key'])) {
 					if ($myid_type == 'fqdn' && !empty($myid_data))
 						$pskconf .= "@{$myid} {$peerid} : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
@@ -560,17 +560,19 @@ EOD;
 			} else
 				$right_spec = $ph1ent['remote-gateway'];
 
-			list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
-			if ($myid_type == 'fqdn')
-				$myid_data = "@{$myid_data}";
-			list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
-			if ($peerid_type == 'fqdn')
-				$peerid_data = "@{$peerid_data}";
+			list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
+			if ($myid_type != 'address')
+				$myid_data = "{$myid_type}:{$myid_data}";
 
 			/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
 			$peerid_spec = '';
-			if (!isset($ph1ent['mobile']))
-				$peerid_spec = $peerid_data;
+			if (!isset($ph1ent['mobile'])) {
+				list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
+				if ($peerid_type != 'address')
+					$peerid_spec = "{$peerid_type}:{$peerid_data}";
+				else
+					$peerid_spec = $peerid_data;
+			}
 
 			if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
 				$ealgosp1 = '';