1 files changed, 15 insertions, 8 deletions

diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index 8ad16893049..18015850ab4 100644
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ike.c,v 1.13 2005/12/28 19:18:43 naddy Exp $	*/
+/*	$OpenBSD: ike.c,v 1.14 2006/01/16 23:57:20 reyk Exp $	*/
 /*
  * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -31,7 +31,8 @@
 
 #include "ipsecctl.h"
 
-static void	ike_section_peer(struct ipsec_addr_wrap *, FILE *);
+static void	ike_section_peer(struct ipsec_addr_wrap *, FILE *,
+		    struct ike_auth *);
 static void	ike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *,
 		    FILE *);
 static void	ike_section_ipsec(struct ipsec_addr_wrap *, struct
@@ -40,7 +41,7 @@ static int	ike_section_qm(struct ipsec_addr_wrap *, struct
 		    ipsec_addr_wrap *, u_int8_t, struct ipsec_transforms *,
 		    FILE *);
 static int	ike_section_mm(struct ipsec_addr_wrap *, struct
-		    ipsec_transforms *, FILE *);
+		    ipsec_transforms *, FILE *, struct ike_auth *);
 static void	ike_section_qmids(struct ipsec_addr_wrap *, struct
 		    ipsec_addr_wrap *, FILE *);
 static int	ike_connect(u_int8_t, struct ipsec_addr_wrap *, struct
@@ -58,11 +59,14 @@ int		ike_ipsec_establish(int, struct ipsec_rule *);
 #define ISAKMPD_FIFO	"/var/run/isakmpd.fifo"
 
 static void
-ike_section_peer(struct ipsec_addr_wrap *peer, FILE *fd)
+ike_section_peer(struct ipsec_addr_wrap *peer, FILE *fd, struct ike_auth *auth)
 {
 	fprintf(fd, SET "[Phase 1]:%s=peer-%s force\n", peer->name, peer->name);
 	fprintf(fd, SET "[peer-%s]:Phase=1 force\n", peer->name);
 	fprintf(fd, SET "[peer-%s]:Address=%s force\n", peer->name, peer->name);
+	if (auth->type == IKE_AUTH_PSK)
+		fprintf(fd, SET "[peer-%s]:Authentication=%s\n",
+		    peer->name, auth->string);
 }
 
 static void
@@ -178,7 +182,7 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
 
 static int
 ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,
-    FILE *fd)
+    FILE *fd, struct ike_auth *auth)
 {
 	if (!(mmxfs->authxf || mmxfs->encxf))
 		return (0);
@@ -228,7 +232,10 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,
 	} else
 		fprintf(fd, "SHA");
 
-	fprintf(fd, "-RSA_SIG\n");
+	if (auth->type == IKE_AUTH_RSA)
+		fprintf(fd, "-RSA_SIG\n");
+	else
+		fprintf(fd, "\n");
 
 	return (0);
 }
@@ -305,8 +312,8 @@ ike_connect(u_int8_t mode, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap
 static int
 ike_gen_config(struct ipsec_rule *r, FILE *fd)
 {
-	ike_section_peer(r->peer, fd);
-	if (ike_section_mm(r->peer, r->mmxfs, fd) == -1)
+	ike_section_peer(r->peer, fd, r->ikeauth);
+	if (ike_section_mm(r->peer, r->mmxfs, fd, r->ikeauth) == -1)
 		return (-1);
 	ike_section_ids(r->peer, r->auth, fd);
 	ike_section_ipsec(r->src, r->dst, r->peer, fd);