Hi,
Thanks for replying.
Yes, you’re exactly right I believe. Unfortunately the VyOS doesn’t seem to support multiple subnets in a single SA. We also tried setting up 2 separate ipsec endpoints at the GCP end, but although the tunnels come up the routing instance in GCP sees them both as ECMP paths back to the far end so it doesn’t work.