This is a sample configuration on EdgeOS to configure a S2S IPSEC VPN using a VTI interface for a “routed” style VPN.

interfaces {
     ethernet eth0 {
         address 192.0.2.1/24
         duplex auto
         speed auto
     }
     vti vti0 {
         address 192.168.0.1/24
     }
 }
protocols {
     static {
         route 0.0.0.0/0 {
             next-hop 192.0.2.254 {
             }
         }
         route 10.0.0.0/8 {
             next-hop 192.168.0.5 {
             }
         }
     }
 }
  vpn {
     ipsec {
         allow-access-to-local-interface disable
         auto-firewall-nat-exclude disable
         esp-group AES256-SHA384 {
             compression disable
             lifetime 3600
             mode tunnel
             pfs enable
             proposal 1 {
                 encryption aes256
                 hash sha384
             }
         }
         ike-group AES256-SHA384-DH20 {
             ikev2-reauth no
             key-exchange ikev2
             lifetime 28800
             proposal 1 {
                 dh-group 20
                 encryption aes256
                 hash sha384
             }
         }
         site-to-site {
             peer 192.0.2.5 {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret 7hB28MwJB4W3xiJryZCgeGc3CTHjGbmu
                 }
                 connection-type initiate
                 ike-group AES256-SHA384-DH20
                 local-address 192.0.2.1
                 vti {
                     bind vti0
                     esp-group AES256-SHA384
                 }
             }
         }
     }
 }

In the above, the outside interface is 192.0.2.1/24 with a remote peer of 192.0.2.5. We’re using simple static routing to route 10.0.0.0/8 over the VTI interface that is assigned 192.168.0.1 towards the encrypted peer 192.168.0.5.