From 50de9fa88581b487918faddefd286caccc14b28c Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Wed, 28 Oct 2015 13:49:24 -0400
Subject: Set leftsendcert=always for IKEv2 configurations with certificates to
 better accommodate OS X and iOS manual configurations. Fixes #5353

---
 etc/inc/vpn.inc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index 417f224..70e2872 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -1001,6 +1001,7 @@ EOD;
 						$authentication .= "leftauth=pubkey\n\trightauth=eap-mschapv2";
 						if (!empty($ph1ent['certref'])) {
 							$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
+							$authentication .= "\n\tleftsendcert=always";
 						}
 					}
 					break;
@@ -1010,11 +1011,13 @@ EOD;
 						$authentication .= "leftauth=pubkey\n\trightauth=eap-tls";
 						if (!empty($ph1ent['certref'])) {
 							$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
+							$authentication .= "\n\tleftsendcert=always";
 						}
 					} else {
 						$authentication = "leftauth=eap-tls\n\trightauth=eap-tls";
 						if (!empty($ph1ent['certref'])) {
 							$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
+							$authentication .= "\n\tleftsendcert=always";
 						}
 					}
 					if (isset($casub)) {
@@ -1027,11 +1030,13 @@ EOD;
 						$authentication .= "leftauth=pubkey\n\trightauth=eap-radius";
 						if (!empty($ph1ent['certref'])) {
 							$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
+							$authentication .= "\n\tleftsendcert=always";
 						}
 					} else {
 						$authentication = "leftauth=eap-radius\n\trightauth=eap-radius";
 						if (!empty($ph1ent['certref'])) {
 							$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
+							$authentication .= "\n\tleftsendcert=always";
 						}
 					}
 					break;
-- 
cgit v1.1