Set rightca for IPsec phase 1 using Mutual RSA, Mutual RSA + xauth, or EAP-TLS. Fixes #5241.

1 files changed, 24 insertions, 0 deletions

diff --git a/src/etc/inc/vpn.inc b/src/etc/inc/vpn.inc
index a529cfa..62c5fa2 100644
--- a/src/etc/inc/vpn.inc
+++ b/src/etc/inc/vpn.inc
@@ -951,6 +951,21 @@ EOD;
 				}
 			}
 
+			if (!empty($ph1ent['caref'])) {
+				$ca = lookup_ca($ph1ent['caref']);
+				if ($ca) {
+					$casubarr = cert_get_subject_array($ca['crt']);
+					$casub = "";
+					foreach ($casubarr as $casubfield) {
+						if (empty($casub)) {
+							$casub = "/";
+						}
+						$casub .= "{$casubfield['a']}={$casubfield['v']}/";
+					}
+
+				}
+			}
+
 			$authentication = "";
 			switch ($ph1ent['authentication_method']) {
 				case 'eap-mschapv2':
@@ -975,6 +990,9 @@ EOD;
 							$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
 						}
 					}
+					if (isset($casub)) {
+						$authentication .= "\n\trightca=\"$casub\"";
+					}
 					break;
 				case 'eap-radius':
 					if (isset($ph1ent['mobile'])) {
@@ -996,6 +1014,9 @@ EOD;
 					if (!empty($ph1ent['certref'])) {
 						$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
 					}
+					if (isset($casub)) {
+						$authentication .= "\n\trightca=\"$casub\"";
+					}
 					break;
 				case 'xauth_psk_server':
 					$authentication = "leftauth = psk\n\trightauth = psk";
@@ -1009,6 +1030,9 @@ EOD;
 					if (!empty($ph1ent['certref'])) {
 						$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
 					}
+					if (isset($casub)) {
+						$authentication .= "\n\trightca=\"$casub\"";
+					}
 					break;
 				case 'hybrid_rsa_server':
 					$authentication = "leftauth = pubkey\n\trightauth = xauth-generic";