vyos · cpcowart · Nov 16, 2025
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
@@ -8,6 +8,9 @@
         proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }}
         version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }}
         send_certreq = no
+{% if rw_conf.authentication.always_send_cert is vyos_defined %}
+        send_cert = always
+{% endif %}
 {% if ike.dead_peer_detection is vyos_defined %}
         dpd_timeout = {{ ike.dead_peer_detection.timeout }}
         dpd_delay = {{ ike.dead_peer_detection.interval }}

diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
@@ -870,6 +870,12 @@
                         <defaultValue>eap-mschapv2</defaultValue>
                       </leafNode>
                       #include <include/auth-local-users.xml.i>
+                      <leafNode name="always-send-cert">
+                        <properties>
+                          <help>Always send local certificate for this connection</help>
+                          <valueless/>
+                        </properties>
+                      </leafNode>
                       <leafNode name="server-mode">
                         <properties>
                           <help>Server authentication mode</help>

diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -1151,10 +1151,7 @@ def test_remote_access_x509(self):
         for line in swanctl_lines:
             self.assertIn(line, swanctl_conf)
 
-        swanctl_unexpected_lines = [
-            f'auth = eap-',
-            f'eap_id'
-        ]
+        swanctl_unexpected_lines = [f'auth = eap-', f'eap_id', f'send_cert =']
         for unexpected_line in swanctl_unexpected_lines:
             self.assertNotIn(unexpected_line, swanctl_conf)
 
@@ -1171,6 +1168,22 @@ def test_remote_access_x509(self):
         self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{int_ca_name}.pem')))
         self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem')))
 
+        # Add the always-send-cert config and observe the change
+        self.cli_set(
+            base_path
+            + [
+                'remote-access',
+                'connection',
+                conn_name,
+                'authentication',
+                'always-send-cert',
+            ]
+        )
+        self.cli_commit()
+
+        swanctl_conf = read_file(swanctl_file)
+        self.assertIn(f'send_cert = always', swanctl_conf)
+
         self.tearDownPKI()
 
     def test_remote_access_dhcp_fail_handling(self):