It's a bit confusing, I can create a tunnel with 0.0.0.0/0 if I need it. That how it is also done on PaloAlto FW and Fortigate. Anyway, it is just my opinion. Thanks for picking up this request so quickly.
Jun 11 2021
@sdev That makes sense, you can also get rid of "esp-group" under vti as it will be specified per tunnel.
I like that we can specify multiple prefixes under one tunnel but also can configure multiple tunnels for more complex scenarios.
@sdev Yes, this can be done identically as the tunnel definition.
Jun 10 2021
@sdev Will it not create a full mesh, for example:
10.10.10.0/24 <--> 192.168.10.0/24
10.10.20.0/24 <--> 192.168.20.0/24
It will also set IPsec for 10.10.10.0/24 <--> 192.168.20.0/24 and 10.10.20.0/24 <--> 192.168.10.0/24 that may not be desired.
@Viacheslav Can be similar to policy-based ipsec
# set vpn ipsec site-to-site peer 220.127.116.11 tunnel 1 Possible completions: allow-nat-networks Option to allow NAT networks allow-public-networks Option to allow public networks disable Option to disable vpn tunnel esp-group ESP group name > local Local parameters for interesting traffic protocol Protocol to encrypt > remote Remote parameters for interesting traffic
May 26 2021
@Viacheslav We have been running the new rolling realse in the lab since 24th May with no issues. Thanks for help.