Merge pull request #2708 from lucasec/t5871

T5871: ipsec remote access VPN: specify "cacerts" for client auth
author: Christian Breunig <christian@breunig.cc> 2024-04-12 07:09:25 +0200
committer: GitHub <noreply@github.com> 2024-04-12 07:09:25 +0200
commit: 041a57d69dc7b8d104b8e3a6e8b35723552a1b63 (patch)
tree: bcaca728b1c782108790989a5dd030c28d7a6251 /data/templates
parent: 00be89b76bc1b6ec0ce04dc7957a8dbc7a65065b (diff)
parent: ecc83562b4d756cc50910561a3f52ec260aeb478 (diff)
download: vyos-1x-041a57d69dc7b8d104b8e3a6e8b35723552a1b63.tar.gz
vyos-1x-041a57d69dc7b8d104b8e3a6e8b35723552a1b63.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
index af7f2994e..adfa32bde 100644
--- a/data/templates/ipsec/swanctl/remote_access.j2
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -35,6 +35,11 @@
             auth = {{ rw_conf.authentication.client_mode }}
             eap_id = %any
 {% endif %}
+{% if rw_conf.authentication.client_mode is vyos_defined('eap-tls') or rw_conf.authentication.client_mode is vyos_defined('x509') %}
+{#          pass all configured CAs as filenames, separated by commas #}
+{#          this will produce a string like "MyCA1.pem,MyCA2.pem" #}
+            cacerts = {{ '.pem,'.join(rw_conf.authentication.x509.ca_certificate) ~ '.pem' }}
+{% endif %}
         }
         children {
             ikev2-vpn  {
author	Christian Breunig <christian@breunig.cc>	2024-04-12 07:09:25 +0200
committer	GitHub <noreply@github.com>	2024-04-12 07:09:25 +0200
commit	041a57d69dc7b8d104b8e3a6e8b35723552a1b63 (patch)
tree	bcaca728b1c782108790989a5dd030c28d7a6251 /data/templates
parent	00be89b76bc1b6ec0ce04dc7957a8dbc7a65065b (diff)
parent	ecc83562b4d756cc50910561a3f52ec260aeb478 (diff)
download	vyos-1x-041a57d69dc7b8d104b8e3a6e8b35723552a1b63.tar.gz vyos-1x-041a57d69dc7b8d104b8e3a6e8b35723552a1b63.zip