ipsec: strongswan: pubkey auth trusted CAs

[reet-]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

I'm in the process of migrating an IPsec roadwarrior setup currently configured in the legacy tunnel settings to the new Connections interface.

Our current pubkey auth settings in the legacy tunnel settings for the remote looks like this:

# swanctl --list-conns
...
  remote public key authentication:
    id: %any
    cacerts: C=de, O=example, CN=ca

Whereas a new connection config results in:

# swanctl --list-conns
...
remote public key authentication: (nil)

I found no way to only allow roadwarriors under a specific CA to connect.

Describe the solution you like

For pubkey auth it should be possible to only allow one or more trusted CAs.

Describe alternatives you considered

Also specifying a wildcard match (e.g. C=de, O=example, CN=* in the Remote Authentication Id field does not work even though strongswan supports this. Furthermore the Id field does not allow whitespaces but they are common in certificates. Both C=de, O=example and O=my Project are rejected.