When upgrading from 1.3 to 1.4.0-rc3, IPsec site-to-site peers whose names begin with an @ have a pki ca certificate created with an @ in the name (https://github.com/vyos/vyos-1x/blob/d736a9b70ca897bdf1e0237b64ab5c7eb958b520/src/migration-scripts/ipsec/6-to-7#L66).
The configuration loads fine but fails to commit since @ is not a valid name for pki ca.
1.3 set commands:
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec site-to-site peer @test authentication mode 'x509' set vpn ipsec site-to-site peer @test authentication x509 ca-cert-file '/config/auth/test.crt' set vpn ipsec site-to-site peer @test authentication x509 cert-file '/config/auth/test.crt' set vpn ipsec site-to-site peer @test authentication x509 key file '/config/auth/test.key' set vpn ipsec site-to-site peer @test default-esp-group 'MyESPGroup' set vpn ipsec site-to-site peer @test ike-group 'MyIKEGroup' set vpn ipsec site-to-site peer @test local-address '192.0.2.10' set vpn ipsec site-to-site peer @test tunnel 1 protocol 'gre'
Output on 1.4.0-rc3 when attempting to load the migrated config:
vyos@vyos:~$ configure
WARNING: There was a config error on boot: saving the configuration now could overwrite data.
You may want to check and reload the boot config
[edit]
vyos@vyos# load
Loading configuration from 'config.boot'
Load complete. Use 'commit' to make changes effective.
[edit]
vyos@vyos# compare
+ pki {
+ ca peer_@test {
+ certificate "..."
+ }
+ certificate peer_@test {
+ certificate "..."
+ private {
+ key "..."
+ }
+ }
+ }
[edit]
vyos@vyos# commit
[ pki ca peer_@test ]
[ pki ca peer_@test ]
Invalid value
[[pki]] failed
Commit failed
[edit]
vyos@vyos#