From bc2497adcce9ba105dbf60959d35bb101e7964ae Mon Sep 17 00:00:00 2001 From: Kevin Locke Date: Sat, 30 Nov 2024 14:36:49 -0700 Subject: [PATCH] strongswan: swanctl: Add support for send_certreq Support the [send_certreq] connection configuration option to disable offering trusted root CA certificates and reduce the size of the initial IKE packets. This work is based on a patch by @aleks-mariusz in https://forum.openwrt.org/t/confusion-regarding-setting-up-ikev2-vpn-service-with-strongswan-using-ipsec-and-swanctl/169587/9 [send_certreq]: https://docs.strongswan.org/docs/latest/swanctl/swanctlConf.html#_connections Signed-off-by: Kevin Locke --- net/strongswan/files/swanctl.init | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init index 7fc4a0d10bc1b3..8a94cdff2591a7 100644 --- a/net/strongswan/files/swanctl.init +++ b/net/strongswan/files/swanctl.init @@ -458,6 +458,7 @@ config_remote() { local local_key local ca_cert local rekeytime + local send_certreq local remote_ca_certs local pools local eap_id @@ -483,6 +484,7 @@ config_remote() { config_get rekeytime "$conf" rekeytime config_get overtime "$conf" overtime config_get send_cert "$conf" send_cert + config_get_bool send_certreq "$conf" send_certreq 1 config_get eap_id "$conf" eap_id "%any" config_list_foreach "$conf" local_sourceip append_var local_sourceip "," @@ -583,6 +585,7 @@ config_remote() { esac [ -n "$send_cert" ] && swanctl_xappend2 "send_cert = $send_cert" + [ $send_certreq -eq 1 ] && swanctl_xappend2 "send_certreq = yes" || swanctl_xappend2 "send_certreq = no" [ $mobike -eq 1 ] && swanctl_xappend2 "mobike = yes" || swanctl_xappend2 "mobike = no"