psi-jack wrote:This is two tunnels, not one tunnel.
set vpn ipsec site-to-site peer a.b.c.d tunnel 1 local prefix 0.0.0.0/0
This is one tunnel, but potentially can make the other endpoint route all traffic through the local endpoint, which is also usually not desirable.
An additional note. Using 0.0.0.0/0 causes the actual router itself to not source-route properly for endpoints. It ends up using the default route IP which is the WAN-IP since the IPsec is initiated on the WAN port. Other hosts could route through it without any issue, but the router itself, pings in tcpdump showed to be coming from the WAN-IP and not the router's local subnet IP.
I've worked around this limitation by moving my OpenVPN RoadWarrior VPN from 10.240.0.0/24 to 172.23.250.0/24 which allows me to provide a local subnet of 172.16.0.0/13 which covers both 172.17.0.0/16 and 172.23.250.0/24 within it nicely enough.
It would still be very nice to actually have IKEv2 routing subnets properly supported by allowing multiple comma-seperated subnets be provided from the leftsubnet.