Add an ipsec.conf leftgroups2 parameter for the second authentication round

2 files changed, 6 insertions, 3 deletions

diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index da0d2a74d..8657c3b26 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -365,7 +365,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 {
 	identification_t *identity;
 	certificate_t *certificate;
-	char *auth, *id, *pubkey, *cert, *ca;
+	char *auth, *id, *pubkey, *cert, *ca, *groups;
 	stroke_end_t *end, *other_end;
 	auth_cfg_t *cfg;
 
@@ -491,12 +491,13 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	}
 
 	/* groups */
-	if (end->groups)
+	groups = primary ? end->groups : end->groups2;
+	if (groups)
 	{
 		enumerator_t *enumerator;
 		char *group;
 
-		enumerator = enumerator_create_token(end->groups, ",", " ");
+		enumerator = enumerator_create_token(groups, ",", " ");
 		while (enumerator->enumerate(enumerator, &group))
 		{
 			cfg->add(cfg, AUTH_RULE_GROUP,
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 698c45ed8..6bf65cc7e 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -181,6 +181,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
 	pop_string(msg, &end->ca);
 	pop_string(msg, &end->ca2);
 	pop_string(msg, &end->groups);
+	pop_string(msg, &end->groups2);
 	pop_string(msg, &end->cert_policy);
 	pop_string(msg, &end->updown);
 
@@ -197,6 +198,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
 	DBG2(DBG_CFG, "  %sca=%s", label, end->ca);
 	DBG2(DBG_CFG, "  %sca2=%s", label, end->ca2);
 	DBG2(DBG_CFG, "  %sgroups=%s", label, end->groups);
+	DBG2(DBG_CFG, "  %sgroups2=%s", label, end->groups2);
 	DBG2(DBG_CFG, "  %supdown=%s", label, end->updown);
 }