From 5324ea38a1783200f3d8c1eec1229505c19968ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ermal=20LU=C3=87I?= <eri@pfsense.org>
Date: Wed, 7 Jan 2015 21:02:09 +0100
Subject: Move to specifically specifying the ID type apart when an ip address
 to have strongswan do proper behaviour. Also for DynDNS names use the dns
 type id so strongswan does the resolving by its own.

---
 etc/inc/vpn.inc | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

(limited to 'etc/inc/vpn.inc')

diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index d5775da..60a844f 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -478,14 +478,14 @@ EOD;
 				/* XXX" Traffic selectors? */
 				$pskconf .= " : RSA {$ph1keyfile}\n";
 			} else {
-				list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
-				list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
+				list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
+				list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
 
 				if (empty($peerid_data))
 					continue;
 
 				$myid = isset($ph1ent['mobile']) ? trim($myid_data) : "%any";
-				$peerid = ($peerid_data != "allusers") ? trim($peerid_data) : "";
+				$peerid = ($peerid_data != 'allusers') ? trim($peerid_data) : '';
 				if (!empty($ph1ent['pre-shared-key'])) {
 					if ($myid_type == 'fqdn' && !empty($myid_data))
 						$pskconf .= "@{$myid} {$peerid} : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
@@ -560,17 +560,19 @@ EOD;
 			} else
 				$right_spec = $ph1ent['remote-gateway'];
 
-			list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
-			if ($myid_type == 'fqdn')
-				$myid_data = "@{$myid_data}";
-			list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
-			if ($peerid_type == 'fqdn')
-				$peerid_data = "@{$peerid_data}";
+			list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
+			if ($myid_type != 'address')
+				$myid_data = "{$myid_type}:{$myid_data}";
 
 			/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
 			$peerid_spec = '';
-			if (!isset($ph1ent['mobile']))
-				$peerid_spec = $peerid_data;
+			if (!isset($ph1ent['mobile'])) {
+				list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
+				if ($peerid_type != 'address')
+					$peerid_spec = "{$peerid_type}:{$peerid_data}";
+				else
+					$peerid_spec = $peerid_data;
+			}
 
 			if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
 				$ealgosp1 = '';
-- 
cgit v1.1