Tested in VyOS 1.3.0-epa3
There is no way to configure multiple 'local prefix' (or 'remote prefix') for an IPsec tunnel:
vyos@vyos# set vpn ipsec site-to-site peer PEER tunnel 0 local prefix 10.1.0.0/24
vyos@vyos# set vpn ipsec site-to-site peer PEER tunnel 0 local prefix 10.2.0.0/24
vyos@vyos# set vpn ipsec site-to-site peer PEER tunnel 0 local prefix 10.3.0.0/24
vyos@vyos# compare
+vpn {
+ ipsec {
+ site-to-site {
+ peer PEER {
+ connection-type initiate
+ ikev2-reauth inherit
+ tunnel 0 {
+ allow-nat-networks disable
+ allow-public-networks disable
+ local {
+ prefix 10.3.0.0/24
+ }
+ }
+ }
+ }
+ }
+}in VyOS VyOS 1.4-rolling-202110310317 it works:
vyos@R1# set vpn ipsec site-to-site peer 1.1.1.2 tunnel 10 local prefix '10.0.0.0/24' vyos@R1# set vpn ipsec site-to-site peer 1.1.1.2 tunnel 10 local prefix '10.1.0.0/24' vyos@R1# set vpn ipsec site-to-site peer 1.1.1.2 tunnel 10 local prefix '10.2.0.0/24' vyos@R1# compare [edit vpn ipsec site-to-site peer 1.1.1.2 tunnel 10 local] +prefix 10.0.0.0/24 +prefix 10.1.0.0/24 +prefix 10.2.0.0/24