diff options
author | jim-p <jimp@pfsense.org> | 2010-08-13 13:21:09 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2010-08-13 13:57:44 -0400 |
commit | 96ef83a70551c0933bea9b7b9feab2233755c2d6 (patch) | |
tree | e91b33158a135a5657965a64204ac910b0140861 /etc | |
parent | 29a3ac407fdeb6f8991c5e0798c651ff560d708d (diff) | |
download | pfsense-96ef83a70551c0933bea9b7b9feab2233755c2d6.zip pfsense-96ef83a70551c0933bea9b7b9feab2233755c2d6.tar.gz |
When using a certificate for IPsec, also write out and reference the certificate's CA.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/vpn.inc | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 824a374..49a2324 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -535,7 +535,21 @@ function vpn_ipsec_configure($ipchg = false) chmod($keypath, 0600); + $ca = lookup_ca($cert['caref']); + $cafile = "ca-".$ikeid.".crt"; + $capath = $g['varetc_path']."/".$cafile; + + if (!file_put_contents($capath, base64_decode($ca['crt']))) + { + log_error("Error: Cannot write phase1 CA certificate file for {$ph1ent['name']}"); + continue; + } + + chmod($capath, 0600); + $certline = "certificate_type x509 \"".basename($certpath)."\" \"".basename($keypath)."\";"; + + $caline = "ca_type x509 \"".basename($capath)."\";"; } $ealgos = ''; @@ -570,6 +584,7 @@ remote {$rgip} initial_contact = {$init}; nat_traversal = {$natt}; {$certline} + {$caline} {$dpdline1} {$dpdline2} support_proxy on; |