From a702cf9fb3300e125cd7acc8af3813474606e509 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 31 Aug 2023 15:10:59 +0200
Subject: [PATCH] VPN: IPsec: Connections - omit conditional authentication
 properties when not applicable. closes
 https://github.com/opnsense/core/issues/6807

---
 src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php b/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php
index 0d7f6e72c..82150b11a 100644
--- a/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php
+++ b/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php
@@ -172,11 +172,18 @@ class Swanctl extends BaseModel
                         }
                         $thisnode[$attr_name] = implode(',', $tmp);
                     } elseif ($attr_name == 'pubkeys') {
+                        if ((string)$node->auth != 'pubkey') {
+                            // explicit skip, pubkeys bound to auth type selection
+                            continue;
+                        }
                         $tmp = [];
                         foreach (explode(',', (string)$attr) as $item) {
                             $tmp[] = $item . '.pem';
                         }
                         $thisnode[$attr_name] = implode(',', $tmp);
+                    } elseif ($attr_name == 'eap_id' && strpos((string)$node->auth, 'eap') === false) {
+                        // explicit skip, eap_id is only valid for eap auth types.
+                        continue;
                     } else {
                         $thisnode[$attr_name] = (string)$attr;
                     }