Tested in VyOS 1.3.0-epa3
Configure IPsec ("transport mode") using local-subnet and remote-subnet. An error occurs:
# commit [ vpn ipsec site-to-site peer TST2 tunnel 0 ] VPN configuration error: Can not use local-subnet or remote-subnet when using transport mode
To reproduce:
set interfaces ethernet eth0 address '192.168.2.2/24' set interfaces ethernet eth1 address '10.2.2.2/24' set protocols static route 0.0.0.0/0 next-hop 192.168.2.100 set vpn ipsec esp-group ESP compression 'disable' set vpn ipsec esp-group ESP lifetime '1800' set vpn ipsec esp-group ESP mode 'transport' set vpn ipsec esp-group ESP pfs 'enable' set vpn ipsec esp-group ESP proposal 1 encryption 'aes128' set vpn ipsec esp-group ESP proposal 1 hash 'sha1' set vpn ipsec ike-group IKEv2gr close-action 'none' set vpn ipsec ike-group IKEv2gr ikev2-reauth 'no' set vpn ipsec ike-group IKEv2gr key-exchange 'ikev2' set vpn ipsec ike-group IKEv2gr lifetime '86400' set vpn ipsec ike-group IKEv2gr mobike 'disable' set vpn ipsec ike-group IKEv2gr proposal 2 dh-group '2' set vpn ipsec ike-group IKEv2gr proposal 2 encryption 'aes128' set vpn ipsec ike-group IKEv2gr proposal 2 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec site-to-site peer TST2 authentication id '192.168.2.2' set vpn ipsec site-to-site peer TST2 authentication remote-id '192.168.1.1' set vpn ipsec site-to-site peer TST2 connection-type 'initiate' set vpn ipsec site-to-site peer TST2 force-encapsulation 'enable' set vpn ipsec site-to-site peer TST2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer TST2 authentication pre-shared-secret 'VyOS' set vpn ipsec site-to-site peer TST2 local-address '192.168.2.2' set vpn ipsec site-to-site peer TST2 ike-group 'IKEv2gr' set vpn ipsec site-to-site peer TST2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer TST2 tunnel 0 allow-nat-networks 'disable' set vpn ipsec site-to-site peer TST2 tunnel 0 allow-public-networks 'disable' set vpn ipsec site-to-site peer TST2 tunnel 0 esp-group 'ESP' set vpn ipsec site-to-site peer TST2 tunnel 0 local prefix '10.2.2.0/24' set vpn ipsec site-to-site peer TST2 tunnel 0 remote prefix '10.1.1.0/24'