From 3af487bcf65a4d8a32ea999f16f1a932620e80e7 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 7 Mar 2023 19:55:03 +0100
Subject: [PATCH] VPN: IPsec: Tunnel Settings - "Allow any remote gateway to
 connect" should suffix all in order to connect to the other end. closes
 https://github.com/opnsense/core/issues/6396

---
 src/etc/inc/plugins.inc.d/ipsec.inc | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index 4a660588f..b8d33c3dd 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -1339,9 +1339,16 @@ function ipsec_configure_do($verbose = false, $interface = '')
                 'remote-0' => [
                     'id' => ipsec_find_id($ph1ent, "peer") ?? '%any'
                 ],
-                'remote_addrs' => !isset($ph1ent['mobile']) && empty($ph1ent['rightallowany']) ? $ph1ent['remote-gateway'] : '0.0.0.0/0,::/0',
                 'encap' => !empty($ph1ent['nat_traversal']) && $ph1ent['nat_traversal'] == 'force' ? 'yes' : 'no',
             ];
+            if (!isset($ph1ent['mobile'])) {
+                $connection['remote_addrs'] = $ph1ent['remote-gateway'];
+                if (!empty($ph1ent['rightallowany'])) {
+                    $connection['remote_addrs'] .= ',0.0.0.0/0,::/0';
+                }
+            } else {
+                $connection['remote_addrs'] = '%any'; // default
+            }
             if (!isset($ph1ent['reauth_enable']) && !empty($ph1ent['lifetime']) && !empty($ph1ent['margintime'])) {
                 // XXX: should probably move to a gui setting for reauth_time and deprecate "Disable Reauth"
                 $connection['reauth_time'] =  ($ph1ent['lifetime'] - $ph1ent['margintime']) . ' s';