When upgrading from 1.3 to 1.4.0-rc3, IPsec site-to-site peers whose names begin with an `@` have a `pki ca` certificate created with an `@` in the name (https://github.com/vyos/vyos-1x/blob/d736a9b70ca897bdf1e0237b64ab5c7eb958b520/src/migration-scripts/ipsec/6-to-7#L66).
The configuration loads fine but fails to commit since `@` is not a valid name for `pki ca`.