diff --git a/res/layout/vpn_dialog.xml b/res/layout/vpn_dialog.xml
index 841e093b503..034b6bfc38e 100644
--- a/res/layout/vpn_dialog.xml
+++ b/res/layout/vpn_dialog.xml
@@ -80,7 +80,7 @@
                         android:prompt="@string/vpn_ipsec_user_cert" />
             </LinearLayout>
 
-            <LinearLayout android:id="@+id/ipsec_ca"
+            <LinearLayout android:id="@+id/ipsec_peer"
                     android:layout_width="match_parent"
                     android:layout_height="wrap_content"
                     android:orientation="vertical"
@@ -88,6 +88,9 @@
                 <TextView style="@style/vpn_label" android:text="@string/vpn_ipsec_ca_cert"/>
                 <Spinner style="@style/vpn_value" android:id="@+id/ipsec_ca_cert"
                         android:prompt="@string/vpn_ipsec_ca_cert" />
+                <TextView style="@style/vpn_label" android:text="@string/vpn_ipsec_server_cert"/>
+                <Spinner style="@style/vpn_value" android:id="@+id/ipsec_server_cert"
+                        android:prompt="@string/vpn_ipsec_server_cert" />
             </LinearLayout>
 
             <CheckBox style="@style/vpn_value" android:id="@+id/show_options"
diff --git a/res/values/strings.xml b/res/values/strings.xml
index aa3b94f3a8a..9a2912207ce 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -3658,6 +3658,8 @@ found in the list of installed apps.</string>
     <string name="vpn_ipsec_user_cert">IPSec user certificate</string>
     <!-- Selection label for the IPSec CA certificate of a VPN network. [CHAR LIMIT=40] -->
     <string name="vpn_ipsec_ca_cert">IPSec CA certificate</string>
+    <!-- Selection label for the IPSec server certificate of a VPN network. [CHAR LIMIT=40] -->
+    <string name="vpn_ipsec_server_cert">IPSec server certificate</string>
     <!-- Checkbox label to show advanced options of a VPN network. [CHAR LIMIT=40] -->
     <string name="vpn_show_options">Show advanced options</string>
     <!-- Input label for the DNS search domains of a VPN network. [CHAR LIMIT=40] -->
@@ -3676,6 +3678,8 @@ found in the list of installed apps.</string>
     <string name="vpn_not_used">(not used)</string>
     <!-- Option to not use a CA certificate to verify the VPN server. [CHAR LIMIT=40] -->
     <string name="vpn_no_ca_cert">(don\'t verify server)</string>
+    <!-- Option to use the server certificate received from the VPN server. [CHAR LIMIT=40] -->
+    <string name="vpn_no_server_cert">(received from server)</string>
 
     <!-- Button label to cancel chaning a VPN network. [CHAR LIMIT=40] -->
     <string name="vpn_cancel">Cancel</string>
diff --git a/src/com/android/settings/vpn2/VpnDialog.java b/src/com/android/settings/vpn2/VpnDialog.java
index cce5e2d637c..aaae887edc4 100644
--- a/src/com/android/settings/vpn2/VpnDialog.java
+++ b/src/com/android/settings/vpn2/VpnDialog.java
@@ -61,6 +61,7 @@ class VpnDialog extends AlertDialog implements TextWatcher,
     private TextView mIpsecSecret;
     private Spinner mIpsecUserCert;
     private Spinner mIpsecCaCert;
+    private Spinner mIpsecServerCert;
     private CheckBox mSaveLogin;
 
     VpnDialog(Context context, DialogInterface.OnClickListener listener,
@@ -94,6 +95,7 @@ class VpnDialog extends AlertDialog implements TextWatcher,
         mIpsecSecret = (TextView) mView.findViewById(R.id.ipsec_secret);
         mIpsecUserCert = (Spinner) mView.findViewById(R.id.ipsec_user_cert);
         mIpsecCaCert = (Spinner) mView.findViewById(R.id.ipsec_ca_cert);
+        mIpsecServerCert = (Spinner) mView.findViewById(R.id.ipsec_server_cert);
         mSaveLogin = (CheckBox) mView.findViewById(R.id.save_login);
 
         // Second, copy values from the profile.
@@ -113,6 +115,8 @@ class VpnDialog extends AlertDialog implements TextWatcher,
                 0, mProfile.ipsecUserCert);
         loadCertificates(mIpsecCaCert, Credentials.CA_CERTIFICATE,
                 R.string.vpn_no_ca_cert, mProfile.ipsecCaCert);
+        loadCertificates(mIpsecServerCert, Credentials.USER_CERTIFICATE,
+                R.string.vpn_no_server_cert, mProfile.ipsecServerCert);
         mSaveLogin.setChecked(mProfile.saveLogin);
 
         // Third, add listeners to required fields.
@@ -215,7 +219,7 @@ class VpnDialog extends AlertDialog implements TextWatcher,
         mView.findViewById(R.id.l2tp).setVisibility(View.GONE);
         mView.findViewById(R.id.ipsec_psk).setVisibility(View.GONE);
         mView.findViewById(R.id.ipsec_user).setVisibility(View.GONE);
-        mView.findViewById(R.id.ipsec_ca).setVisibility(View.GONE);
+        mView.findViewById(R.id.ipsec_peer).setVisibility(View.GONE);
 
         // Then, unhide type-specific fields.
         switch (type) {
@@ -237,7 +241,7 @@ class VpnDialog extends AlertDialog implements TextWatcher,
                 mView.findViewById(R.id.ipsec_user).setVisibility(View.VISIBLE);
                 // fall through
             case VpnProfile.TYPE_IPSEC_HYBRID_RSA:
-                mView.findViewById(R.id.ipsec_ca).setVisibility(View.VISIBLE);
+                mView.findViewById(R.id.ipsec_peer).setVisibility(View.VISIBLE);
                 break;
         }
     }
@@ -363,6 +367,9 @@ class VpnDialog extends AlertDialog implements TextWatcher,
                 if (mIpsecCaCert.getSelectedItemPosition() != 0) {
                     profile.ipsecCaCert = (String) mIpsecCaCert.getSelectedItem();
                 }
+                if (mIpsecServerCert.getSelectedItemPosition() != 0) {
+                    profile.ipsecServerCert = (String) mIpsecServerCert.getSelectedItem();
+                }
                 break;
         }
 
diff --git a/src/com/android/settings/vpn2/VpnProfile.java b/src/com/android/settings/vpn2/VpnProfile.java
index 3ee3af066fe..d4d0e79187a 100644
--- a/src/com/android/settings/vpn2/VpnProfile.java
+++ b/src/com/android/settings/vpn2/VpnProfile.java
@@ -51,6 +51,7 @@ class VpnProfile implements Cloneable {
     String ipsecSecret = "";    // 11
     String ipsecUserCert = "";  // 12
     String ipsecCaCert = "";    // 13
+    String ipsecServerCert = "";// 14
 
     // Helper fields.
     boolean saveLogin = false;
@@ -66,8 +67,8 @@ class VpnProfile implements Cloneable {
             }
 
             String[] values = new String(value, Charsets.UTF_8).split("\0", -1);
-            // Currently it always has 14 fields.
-            if (values.length < 14) {
+            // There can be 14 or 15 values in ICS MR1.
+            if (values.length < 14 || values.length > 15) {
                 return null;
             }
 
@@ -89,6 +90,7 @@ class VpnProfile implements Cloneable {
             profile.ipsecSecret = values[11];
             profile.ipsecUserCert = values[12];
             profile.ipsecCaCert = values[13];
+            profile.ipsecServerCert = (values.length > 14) ? values[14] : "";
 
             profile.saveLogin = !profile.username.isEmpty() || !profile.password.isEmpty();
             return profile;
@@ -113,6 +115,7 @@ class VpnProfile implements Cloneable {
         builder.append('\0').append(ipsecSecret);
         builder.append('\0').append(ipsecUserCert);
         builder.append('\0').append(ipsecCaCert);
+        builder.append('\0').append(ipsecServerCert);
         return builder.toString().getBytes(Charsets.UTF_8);
     }
 }
diff --git a/src/com/android/settings/vpn2/VpnSettings.java b/src/com/android/settings/vpn2/VpnSettings.java
index 0197333afbd..655306aac46 100644
--- a/src/com/android/settings/vpn2/VpnSettings.java
+++ b/src/com/android/settings/vpn2/VpnSettings.java
@@ -354,6 +354,7 @@ public class VpnSettings extends SettingsPreferenceFragment implements
         String privateKey = "";
         String userCert = "";
         String caCert = "";
+        String serverCert = "";
         if (!profile.ipsecUserCert.isEmpty()) {
             byte[] value = mKeyStore.get(Credentials.USER_PRIVATE_KEY + profile.ipsecUserCert);
             privateKey = (value == null) ? null : new String(value, Charsets.UTF_8);
@@ -364,7 +365,11 @@ public class VpnSettings extends SettingsPreferenceFragment implements
             byte[] value = mKeyStore.get(Credentials.CA_CERTIFICATE + profile.ipsecCaCert);
             caCert = (value == null) ? null : new String(value, Charsets.UTF_8);
         }
-        if (privateKey == null || userCert == null || caCert == null) {
+        if (!profile.ipsecServerCert.isEmpty()) {
+            byte[] value = mKeyStore.get(Credentials.USER_CERTIFICATE + profile.ipsecServerCert);
+            serverCert = (value == null) ? null : new String(value, Charsets.UTF_8);
+        }
+        if (privateKey == null || userCert == null || caCert == null || serverCert == null) {
             // TODO: find out a proper way to handle this. Delete these keys?
             throw new IllegalStateException("Cannot load credentials");
         }
@@ -380,7 +385,8 @@ public class VpnSettings extends SettingsPreferenceFragment implements
                 break;
             case VpnProfile.TYPE_L2TP_IPSEC_RSA:
                 racoon = new String[] {
-                    interfaze, profile.server, "udprsa", privateKey, userCert, caCert, "1701",
+                    interfaze, profile.server, "udprsa", privateKey, userCert,
+                    caCert, serverCert, "1701",
                 };
                 break;
             case VpnProfile.TYPE_IPSEC_XAUTH_PSK:
@@ -391,14 +397,14 @@ public class VpnSettings extends SettingsPreferenceFragment implements
                 break;
             case VpnProfile.TYPE_IPSEC_XAUTH_RSA:
                 racoon = new String[] {
-                    interfaze, profile.server, "xauthrsa", privateKey, userCert, caCert,
-                    profile.username, profile.password, "", gateway,
+                    interfaze, profile.server, "xauthrsa", privateKey, userCert,
+                    caCert, serverCert, profile.username, profile.password, "", gateway,
                 };
                 break;
             case VpnProfile.TYPE_IPSEC_HYBRID_RSA:
                 racoon = new String[] {
-                    interfaze, profile.server, "hybridrsa", caCert,
-                    profile.username, profile.password, "", gateway,
+                    interfaze, profile.server, "hybridrsa",
+                    caCert, serverCert, profile.username, profile.password, "", gateway,
                 };
                 break;
         }