From 8c61c4f4875e75c6563fff3049d9e8d8a4ab8ad4 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 8 Jan 2016 10:44:28 +0100
Subject: [PATCH] (legacy/ipsec) fixes for certref, caref, trust config data
 instead of reengineering authentication_method again...

---
 src/etc/inc/vpn.inc | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/etc/inc/vpn.inc b/src/etc/inc/vpn.inc
index 7ededb6e1..8b3f21784 100644
--- a/src/etc/inc/vpn.inc
+++ b/src/etc/inc/vpn.inc
@@ -579,9 +579,6 @@ EOD;
                 switch ($ph1ent['authentication_method']) {
                     case 'eap-tls':
                         $authentication = "leftauth=eap-tls\n\trightauth=eap-tls";
-                        if (!empty($ph1ent['certref'])) {
-                            $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
-                        }
                         break;
                     case 'xauth_rsa_server':
                         $authentication = "leftauth = pubkey\n\trightauth = pubkey";
@@ -602,6 +599,19 @@ EOD;
                         $authentication .= "\n\trightauth2 = xauth";
                         break;
                 }
+                if (!empty($ph1ent['certref'])) {
+                    $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
+                }
+                if (!empty($ph1ent['caref'])) {
+                    $ca = lookup_ca($ph1ent['caref']);;
+                    if (!empty($ca)) {
+                         $rightca = "";
+                         foreach (cert_get_subject_array($ca['crt']) as $ca_field) {
+                            $rightca .= "{$ca_field['a']}={$ca_field['v']}/";
+                         }
+                         $authentication .= "\n\trightca=\"/$rightca\"";
+                    }
+                }
                 $left_spec = $ep;
 
                 if (isset($ph1ent['reauth_enable'])) {