From 7100a5797bce50678be6bb001d4d847b26ff9eca Mon Sep 17 00:00:00 2001 From: Lucas Christian Date: Thu, 28 Dec 2023 22:08:36 -0800 Subject: T5871: ipsec remote access VPN: specify "cacerts" for client auth. (cherry picked from commit ecc83562b4d756cc50910561a3f52ec260aeb478) --- data/templates/ipsec/swanctl/remote_access.j2 | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'data/templates') diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2 index af7f2994e..adfa32bde 100644 --- a/data/templates/ipsec/swanctl/remote_access.j2 +++ b/data/templates/ipsec/swanctl/remote_access.j2 @@ -34,6 +34,11 @@ {% elif rw_conf.authentication.client_mode.startswith("eap") %} auth = {{ rw_conf.authentication.client_mode }} eap_id = %any +{% endif %} +{% if rw_conf.authentication.client_mode is vyos_defined('eap-tls') or rw_conf.authentication.client_mode is vyos_defined('x509') %} +{# pass all configured CAs as filenames, separated by commas #} +{# this will produce a string like "MyCA1.pem,MyCA2.pem" #} + cacerts = {{ '.pem,'.join(rw_conf.authentication.x509.ca_certificate) ~ '.pem' }} {% endif %} } children { -- cgit v1.2.3