Generate ipsec profile error
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	pavel-altair
	May 27 2024, 10:51 AM

Description

Hello.
I’m trying to set up a ikev2 remote-access VPN, but after setting it up I can’t create profiles with the built-in generator.

vyos@vyos:~$ generate ipsec profile windows-remote-access support remote vpn.somedomain.com
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/ikev2_profile_generator.py", line 150, in <module>
    ca_cert = load_certificate(pki['ca'][ca_name]['certificate'])
                               ~~~~~~~~~^^^^^^^^^
TypeError: unhashable type: 'list'
vyos@vyos:~$

 vyos@vyos:~$ show ver | match Version
Version:          VyOS 1.5-rolling-202405260021
vyos@vyos:~$

set pki ca isrgrootx1 certificate 'certdata'
set pki ca lets-encrypt-r3 certificate 'certdata'
set pki certificate vpn6 certificate 'certdata from letsencrypt'
set pki certificate vpn6 private key 'privkey from letsencrypt'
set vpn ipsec esp-group vpn lifetime '3600'
set vpn ipsec esp-group vpn pfs 'enable'
set vpn ipsec esp-group vpn proposal 10 encryption 'aes128gcm128'
set vpn ipsec esp-group vpn proposal 10 hash 'sha256'
set vpn ipsec ike-group vpn key-exchange 'ikev2'
set vpn ipsec ike-group vpn lifetime '7200'
set vpn ipsec ike-group vpn proposal 10 dh-group '14'
set vpn ipsec ike-group vpn proposal 10 encryption 'aes128gcm128'
set vpn ipsec ike-group vpn proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec remote-access connection support authentication client-mode 'eap-mschapv2'
set vpn ipsec remote-access connection support authentication local-id 'vpn.somedomain.com'
set vpn ipsec remote-access connection support authentication local-users username stels password 'secret'
set vpn ipsec remote-access connection support authentication server-mode 'x509'
set vpn ipsec remote-access connection support authentication x509 ca-certificate 'isrgrootx1'
set vpn ipsec remote-access connection support authentication x509 ca-certificate 'lets-encrypt-r3'
set vpn ipsec remote-access connection support authentication x509 certificate 'vpn6'
set vpn ipsec remote-access connection support esp-group 'vpn'
set vpn ipsec remote-access connection support ike-group 'vpn'
set vpn ipsec remote-access connection support local-address 'ip on eth0'
set vpn ipsec remote-access connection support pool 'support'
set vpn ipsec remote-access pool support name-server '1.1.1.1'
set vpn ipsec remote-access pool support name-server '9.9.9.9'
set vpn ipsec remote-access pool support prefix '192.168.120.64/27'

What information should I provide?

Details

Difficulty level: Unknown (require assessment)
Version: 1.4.0-epa2
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved	BUG	c-po	T6407 Generate ipsec profile error
		Resolved	BUG	c-po	T6424 ipsec: op-mode command to generate client profiles should honor common name of the CA node that signed the server certificate

Event Timeline

pavel-altair created this task.May 27 2024, 10:51 AM

pasik subscribed.May 27 2024, 2:28 PM

syncer assigned this task to c-po.May 27 2024, 2:53 PM

syncer triaged this task as Normal priority.

As several CA were allowed some time ago it is a bug with op-mode generator.
There is a list of CA's https://github.com/vyos/vyos-1x/blob/48e5266e2bca8d1d7a2ee4bacbe0e6628de3fa66/src/op_mode/ikev2_profile_generator.py#L147
The template https://github.com/vyos/vyos-1x/blob/current/data/templates/ipsec/windows_profile.j2

SrividyaA subscribed.May 28 2024, 11:18 AM

c-po added a project: VyOS 1.4 Sagitta (1.4.0-GA).May 30 2024, 8:13 AM

c-po changed Version from 1.5-rolling-202405260021 to 1.4.0-epa2.

With this change all CAs in the list are rendered into the template.

vyos@vyos:~$ generate ipsec profile ios-remote-access rw remote ipsec.vyos.io

<!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration -->
<!-- Payload for: CAcert Class 3 Root -->
<dict>
    <key>PayloadIdentifier</key>
    <string>org.cacert.class.3.root</string>
    <key>PayloadUUID</key>
    <string>89ca04aa-1e63-11ef-80c5-005056992b32</string>
    <key>PayloadType</key>
    <string>com.apple.security.root</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <!-- This is the Base64 (PEM) encoded CA certificate -->
    <key>PayloadContent</key>
    <data>
    MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57aiX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAChiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoGCysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5vcmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGqeSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6HhLSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QUqGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k50cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfqi5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUECokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87cSvOK6eB1kdGKLA8ymXxZp8=
    </data>
</dict>
<!-- Payload for: CA Cert Signing Authority -->
<dict>
    <key>PayloadIdentifier</key>
    <string>org.ca.cert.signing.authority</string>
    <key>PayloadUUID</key>
    <string>89ca04aa-1e63-11ef-80c5-005056992b32</string>
    <key>PayloadType</key>
    <string>com.apple.security.root</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <!-- This is the Base64 (PEM) encoded CA certificate -->
    <key>PayloadContent</key>
    <data>
    MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42yfk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jcG8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4kepKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43qlaegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQQUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivUfslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8wggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTADAQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgucGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TANBgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0qIh1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtjaJQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad94SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9ivmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/hJCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmxXdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eNaQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVrGwc=
    </data>
</dict>

Apple IOS now recognizes multiple CAs inside the profile

https://github.com/vyos/vyos-1x/pull/3552

c-po moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.May 30 2024, 9:29 AM

c-po changed the status of subtask T6424: ipsec: op-mode command to generate client profiles should honor common name of the CA node that signed the server certificate from Open to Confirmed.May 30 2024, 2:35 PM

c-po closed this task as Resolved.May 30 2024, 7:01 PM

c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-GA) board.

In https://github.com/vyos/vyos-rolling-nightly-builds/releases/tag/1.5-rolling-202405301617 wrote

op-mode: ipsec: T6407: fix profile generation
PR: vyos/vyos-1x#3552

but

vyos@vyos:~$ show ver | match Version
Version:          VyOS 1.5-rolling-202405301617
vyos@vyos:~$

and

vyos@vyos:~$ generate ipsec profile windows-remote-access support remote vpn.somedomain 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/ikev2_profile_generator.py", line 154, in <module>
    cert = load_certificate(pki['certificate'][cert_name]['certificate'])
                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
KeyError: 'certificate'

pavel-altair reopened this task as Open.May 31 2024, 11:49 AM

@pavel-altair

This was merged Thu May 30 16:35:43 2024 +0200 and your image is from 2024-05-30.

Please try a more recent version

vyos@vyos:~$ generate ipsec profile windows-remote-access support remote ipsec.somedomain 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/ikev2_profile_generator.py", line 154, in <module>
    cert = load_certificate(pki['certificate'][cert_name]['certificate'])
                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
KeyError: 'certificate'
vyos@vyos:~$ show ver
Version:          VyOS 1.5-rolling-202406060020
Release train:    current
Release flavor:   generic

Built by:         [email protected]
Built on:         Thu 06 Jun 2024 03:11 UTC
Build UUID:       e0cb746f-5572-4aaf-8d6c-536ac82e5957
Build commit ID:  9c2ec5e3d31713

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:     
Hardware UUID:    aec800bd-994b-4c51-8729-6c22ce1133c1

Copyright:        VyOS maintainers and contributors
vyos@vyos:~$

Please share your full ipsec configuration

vyos@vyos# show vpn ipsec | commands 
set esp-group vpn lifetime '3600'
set esp-group vpn pfs 'enable'
set esp-group vpn proposal 10 encryption 'aes128gcm128'
set esp-group vpn proposal 10 hash 'sha256'
set ike-group vpn key-exchange 'ikev2'
set ike-group vpn lifetime '7200'
set ike-group vpn proposal 10 dh-group '14'
set ike-group vpn proposal 10 encryption 'aes128gcm128'
set ike-group vpn proposal 10 hash 'sha256'
set interface 'eth0'
set options virtual-ip
set remote-access connection support authentication client-mode 'eap-mschapv2'
set remote-access connection support authentication local-id 'ipsec.somedomain'
set remote-access connection support authentication local-users username test password 'test'
set remote-access connection support authentication server-mode 'x509'
set remote-access connection support authentication x509 ca-certificate 'isrgrootx1'
set remote-access connection support authentication x509 ca-certificate 'lets-encrypt-r3'
set remote-access connection support authentication x509 certificate 'vpn2'
set remote-access connection support description 'support remote access'
set remote-access connection support esp-group 'vpn'
set remote-access connection support ike-group 'vpn'
set remote-access connection support local-address 'ip on eth0'
set remote-access connection support pool 'support'
set remote-access pool support name-server '1.1.1.1'
set remote-access pool support name-server '9.9.9.9'
set remote-access pool support prefix '192.168.120.64/27'
[edit]
vyos@vyos#

Please share the output of dpkg -l | grep vyos-1x

vyos@vyos:~$ dpkg -l | grep vyos-1x
ii  vyos-1x                              1.5dev0-1669-g77cb661d8          amd64        VyOS configuration scripts and data
ii  vyos-1x-vmware                       1.5dev0-1669-g77cb661d8          amd64        VyOS configuration scripts and data for VMware
vyos@vyos:~$

c-po closed subtask T6424: ipsec: op-mode command to generate client profiles should honor common name of the CA node that signed the server certificate as Resolved.Jun 10 2024, 12:19 PM

Can you please retest with the latest ISO as additional fixes got added to the code.

In upgrade process

Validating signature
Signature is valid
Validating image compatibility
Validating image checksums
What would you like to name this image? (Default: 1.5-rolling-202405301617) 
Would you like to set the new image as the default one for boot? [Y/n] 
An active configuration was found. Would you like to copy it to the new image? [Y/n] 
Copying configuration directory
Cleaning up
Unmounting target filesystems
Removing temporary files
Error: [Errno 17] File exists: '/usr/lib/live/mount/persistence/boot/1.5-rolling-202405301617/rw/opt/vyatta/etc/config'

After reboot

vyos@vyos:~$ generate ipsec profile windows-remote-access support remote ipsec.somedomain
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/ikev2_profile_generator.py", line 154, in <module>
    cert = load_certificate(pki['certificate'][cert_name]['certificate'])
                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
KeyError: 'certificate'
vyos@vyos:~$

This is not the latest image. Please use 1.5-rolling-202406130020

vyos@vyos:~$ generate ipsec profile windows-remote-access support remote ipsec.somedomain
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/ikev2_profile_generator.py", line 153, in <module>
    cert_data = load_certificate(pki['certificate'][cert_name]['certificate'])
                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
KeyError: 'certificate'
vyos@vyos:~$ show ver | match Version:
Version:          VyOS 1.5-rolling-202406130020
vyos@vyos:~$

c-po added a comment.Jun 14 2024, 10:10 AM

This comment was removed by c-po.

I can now reproduce the issue. The reason I was unable to reproduce this was I missed out that you use an ACME certificate

https://github.com/vyos/vyos-1x/pull/3646

@pavel-altair can you please re-test with VyOS 1.5-rolling-202406170021

c-po changed the task status from Open to Needs testing.Jun 17 2024, 6:45 AM

all work!
Thank you

c-po closed this task as Resolved.Jun 17 2024, 5:48 PM

	F4336870: image.png
	May 30 2024, 9:26 AM

Generate ipsec profile errorClosed, ResolvedPublicBUGActions

Description

Details

Related ObjectsSearch...

Event Timeline

Generate ipsec profile error
Closed, ResolvedPublicBUG
Actions

Related Objects
Search...