When upgrading from 1.3 to 1.4.0-rc3, IPsec site-to-site peers whose names begin with an @ have a pki ca certificate created with an @ in the name (https://github.com/vyos/vyos-1x/blob/d736a9b70ca897bdf1e0237b64ab5c7eb958b520/src/migration-scripts/ipsec/6-to-7#L66).
The configuration loads fine but fails to commit since @ is not a valid name for pki ca.
1.3 set commands:
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec site-to-site peer @test authentication mode 'x509' set vpn ipsec site-to-site peer @test authentication x509 ca-cert-file '/config/auth/test.crt' set vpn ipsec site-to-site peer @test authentication x509 cert-file '/config/auth/test.crt' set vpn ipsec site-to-site peer @test authentication x509 key file '/config/auth/test.key' set vpn ipsec site-to-site peer @test default-esp-group 'MyESPGroup' set vpn ipsec site-to-site peer @test ike-group 'MyIKEGroup' set vpn ipsec site-to-site peer @test local-address '192.0.2.10' set vpn ipsec site-to-site peer @test tunnel 1 protocol 'gre'
Output on 1.4.0-rc3 when attempting to load the migrated config:
vyos@vyos:~$ configure WARNING: There was a config error on boot: saving the configuration now could overwrite data. You may want to check and reload the boot config [edit] vyos@vyos# load Loading configuration from 'config.boot' Load complete. Use 'commit' to make changes effective. [edit] vyos@vyos# compare + pki { + ca peer_@test { + certificate "..." + } + certificate peer_@test { + certificate "..." + private { + key "..." + } + } + } [edit] vyos@vyos# commit [ pki ca peer_@test ] [ pki ca peer_@test ] Invalid value [[pki]] failed Commit failed [edit] vyos@vyos#