psi-jack wrote:
set vpn ipsec site-to-site peer a.b.c.d tunnel 1 local prefix 172.17.0.0/16 set vpn ipsec site-to-site peer a.b.c.d tunnel 2 local prefix 10.240.0.0/24 This is two tunnels, not one tunnel.
Indeed, multiple tunnels (Securirty Associations) under a single peer configuration. But this is how I'm used to it on Cisco and Astaro/Sophos, so I'm pretty sure this is standards based.
If a single tunnel is requirement, VTI is the way to go , but it's unusable on dynamic WAN IPs.
On dynamic WAN IPs , add an extra GRE tunnel. User traffic is encapsulated in GRE, which in its turn is encrypted in IPSEC. This was the routable interface approach in pre-VTI era.