Generate ipsec profile error

pavel-altair · May 27, 2024, 10:16am

Hello.
I’m trying to set up a ikev2 remote-access VPN, but after setting it up I can’t create profiles with the built-in generator.


vyos@vyos:~$ generate ipsec profile windows-remote-access support remote vpn.somedomain.com
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/ikev2_profile_generator.py", line 150, in <module>
    ca_cert = load_certificate(pki['ca'][ca_name]['certificate'])
                               ~~~~~~~~~^^^^^^^^^
TypeError: unhashable type: 'list'
vyos@vyos:~$

 vyos@vyos:~$ show ver | match Version
Version:          VyOS 1.5-rolling-202405260021
vyos@vyos:~$

set pki ca isrgrootx1 certificate 'certdata'
set pki ca lets-encrypt-r3 certificate 'certdata'
set pki certificate vpn6 certificate 'certdata from letsencrypt'
set pki certificate vpn6 private key 'privkey from letsencrypt'
set vpn ipsec esp-group vpn lifetime '3600'
set vpn ipsec esp-group vpn pfs 'enable'
set vpn ipsec esp-group vpn proposal 10 encryption 'aes128gcm128'
set vpn ipsec esp-group vpn proposal 10 hash 'sha256'
set vpn ipsec ike-group vpn key-exchange 'ikev2'
set vpn ipsec ike-group vpn lifetime '7200'
set vpn ipsec ike-group vpn proposal 10 dh-group '14'
set vpn ipsec ike-group vpn proposal 10 encryption 'aes128gcm128'
set vpn ipsec ike-group vpn proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec remote-access connection support authentication client-mode 'eap-mschapv2'
set vpn ipsec remote-access connection support authentication local-id 'vpn.somedomain.com'
set vpn ipsec remote-access connection support authentication local-users username stels password 'secret'
set vpn ipsec remote-access connection support authentication server-mode 'x509'
set vpn ipsec remote-access connection support authentication x509 ca-certificate 'isrgrootx1'
set vpn ipsec remote-access connection support authentication x509 ca-certificate 'lets-encrypt-r3'
set vpn ipsec remote-access connection support authentication x509 certificate 'vpn6'
set vpn ipsec remote-access connection support esp-group 'vpn'
set vpn ipsec remote-access connection support ike-group 'vpn'
set vpn ipsec remote-access connection support local-address 'ip on eth0'
set vpn ipsec remote-access connection support pool 'support'
set vpn ipsec remote-access pool support name-server '1.1.1.1'
set vpn ipsec remote-access pool support name-server '9.9.9.9'
set vpn ipsec remote-access pool support prefix '192.168.120.64/27'

What information should I provide?

Viacheslav · May 27, 2024, 10:30am

Can you open a bug report on https://vyos.dev ?
Thanks.

pavel-altair · May 27, 2024, 10:51am

https://vyos.dev/T6407