From 7100a5797bce50678be6bb001d4d847b26ff9eca Mon Sep 17 00:00:00 2001
From: Lucas Christian <lucas@lucasec.com>
Date: Thu, 28 Dec 2023 22:08:36 -0800
Subject: T5871: ipsec remote access VPN: specify "cacerts" for client auth.

(cherry picked from commit ecc83562b4d756cc50910561a3f52ec260aeb478)
---
 data/templates/ipsec/swanctl/remote_access.j2 | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'data')

diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
index af7f2994e..adfa32bde 100644
--- a/data/templates/ipsec/swanctl/remote_access.j2
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -34,6 +34,11 @@
 {% elif rw_conf.authentication.client_mode.startswith("eap") %}
             auth = {{ rw_conf.authentication.client_mode }}
             eap_id = %any
+{% endif %}
+{% if rw_conf.authentication.client_mode is vyos_defined('eap-tls') or rw_conf.authentication.client_mode is vyos_defined('x509') %}
+{#          pass all configured CAs as filenames, separated by commas #}
+{#          this will produce a string like "MyCA1.pem,MyCA2.pem" #}
+            cacerts = {{ '.pem,'.join(rw_conf.authentication.x509.ca_certificate) ~ '.pem' }}
 {% endif %}
         }
         children {
-- 
cgit v1.2.3