It is possible to set protocol for IPSec tunnel, but if a IPSec peer configured to use transport mode ESP profile, it will not be added into the actual configuration. For example:
set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec esp-group ESP1 compression 'disable' set vpn ipsec esp-group ESP1 lifetime '3600' set vpn ipsec esp-group ESP1 mode 'transport' set vpn ipsec esp-group ESP1 pfs 'dh-group2' set vpn ipsec esp-group ESP1 proposal 1 encryption 'aes128' set vpn ipsec esp-group ESP1 proposal 1 hash 'sha1' set vpn ipsec ike-group IKE1 dead-peer-detection action 'restart' set vpn ipsec ike-group IKE1 dead-peer-detection interval '15' set vpn ipsec ike-group IKE1 dead-peer-detection timeout '30' set vpn ipsec ike-group IKE1 ikev2-reauth 'no' set vpn ipsec ike-group IKE1 key-exchange 'ikev1' set vpn ipsec ike-group IKE1 lifetime '28800' set vpn ipsec ike-group IKE1 proposal 1 dh-group '2' set vpn ipsec ike-group IKE1 proposal 1 encryption 'aes128' set vpn ipsec ike-group IKE1 proposal 1 hash 'sha1' set vpn ipsec site-to-site peer 192.0.2.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.0.2.2 authentication pre-shared-secret 'secret' set vpn ipsec site-to-site peer 192.0.2.2 connection-type 'initiate' set vpn ipsec site-to-site peer 192.0.2.2 default-esp-group 'ESP1' set vpn ipsec site-to-site peer 192.0.2.2 ike-group 'IKE1' set vpn ipsec site-to-site peer 192.0.2.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 192.0.2.2 local-address '192.0.2.1' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 allow-nat-networks 'disable' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 allow-public-networks 'disable' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 protocol 'ipencap'
Will generate the next ipsec.conf:
# generated by /opt/vyatta/sbin/vpn-config.pl config setup conn %default keyexchange=ikev1 conn peer-192.0.2.2-tunnel-1 left=192.0.2.1 right=192.0.2.2 ike=aes128-sha1-modp1024! keyexchange=ikev1 ikelifetime=28800s dpddelay=15s dpdtimeout=30s dpdaction=restart closeaction=none esp=aes128-sha1-modp1024! keylife=3600s rekeymargin=540s type=transport compress=no authby=secret auto=start keyingtries=%forever #conn peer-192.0.2.2-tunnel-1
So, protocol 'ipencap' was completely ignored. A proper one version should look like this:
# generated by /opt/vyatta/sbin/vpn-config.pl config setup conn %default keyexchange=ikev1 conn peer-192.0.2.2-tunnel-1 left=192.0.2.1 right=192.0.2.2 leftsubnet=192.0.2.1[ipencap] rightsubnet=192.0.2.2[ipencap] ike=aes128-sha1-modp1024! keyexchange=ikev1 ikelifetime=28800s dpddelay=15s dpdtimeout=30s dpdaction=restart closeaction=none esp=aes128-sha1-modp1024! keylife=3600s rekeymargin=540s type=transport compress=no authby=secret auto=start keyingtries=%forever #conn peer-192.0.2.2-tunnel-1
We need to add proper processing of such configurations.