From 9963de28c04fb847a6dc49564747ffcd71fca5f7 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 9 Aug 2021 15:08:49 +0200
Subject: [PATCH] IPsec: fix identity quoting for asn1dn and fqdn types.
 close://github.com/opnsense/core/issues/5155

---
 src/etc/inc/plugins.inc.d/ipsec.inc | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index 57990b8e2..d4f3db3a1 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -815,7 +815,13 @@ function ipsec_find_id(&$ph1ent, $side = 'local')
     } elseif (empty($id_data)) {
         $thisid_data = null;
     } elseif (in_array($id_type, ["asn1dn", "fqdn"])) {
-        $thisid_data = "{$id_type}:{$id_data}";
+        if (strpos($id_data, "#") !== false) {
+            // XXX: the same quoting likely applies to other to the docs, but to limit impact keep only fix here
+            //      (https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing)
+            $thisid_data = "\"{$id_type}:{$id_data}\"";
+        } else {
+            $thisid_data = "{$id_type}:{$id_data}";
+        }
     } elseif ($id_type == "keyid tag") {
         $thisid_data = "keyid:{$id_data}";
     } elseif ($id_type == "user_fqdn") {