From 8f45e0d8623a6da395e12be5b51b3ab74e490f77 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 5 Feb 2019 11:23:14 +0100
Subject: [PATCH] ipsec, nat before ipsec. if peer identifier isn't an address,
 spdadd can't add a tunnel. switch to remote-gateway if that is a valid ip
 address.

It's not a complete fix, for https://github.com/opnsense/core/issues/1773 but improves error logging and adds functionality when peer identifier is currently broken.
---
 src/etc/inc/plugins.inc.d/ipsec.inc | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index 080b1de82..f50de8647 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -667,6 +667,17 @@ function ipsec_configure_spd()
                 if (!isset($ph2ent['disabled']) && $ph1ent['ikeid'] == $ph2ent['ikeid'] && !empty($ph2ent['spd'])) {
                     $myid_data = ipsec_find_id($ph1ent, "local");
                     $peerid_spec = ipsec_find_id($ph1ent, "peer");
+                    if (!is_ipaddr($peerid_spec)) {
+                        if (is_ipaddr($ph1ent['remote-gateway'])) {
+                            $peerid_spec = $ph1ent['remote-gateway'];
+                        } else {
+                            log_error(sprintf(
+                                "spdadd: unable to match remote network on %s or %s [skipped]",
+                                $peerid_spec, $ph1ent['remote-gateway']
+                            ));
+                            continue;
+                        }
+                    }
                     foreach (explode(',', $ph2ent['spd']) as $local_net) {
                         $proto = $ph2ent['mode'] == "tunnel" ? "4" : "6";
                         $remote_net = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);