IPSec tunnel questions

freddy550 · Mar 11, 2024, 1:33 PM

Can I host a firewall in my wmware and in this have multiple firewalls to different customers.
And send each firewall to a different VApp / server on my side?

Customer 1 -> Tunnel 1 -> My Server 1
Customer 2 -> Tunnel 2 -> My Server 2

What happens if two customers have the same network in their side?
Also if one new customer happends to have the same ipspan as me can I then add a new one as endpoint on my side and not mess up the other tunnels?

Lot's of questions ;-)

viragomann · Mar 11, 2024, 1:33 PM

@freddy550 said in IPSec tunnel questions:

Can I host a firewall in my wmware and in this have multiple firewalls to different customers.

Multiple firewalls in a firewall? Or do you mean, multiple IPSec tunnels?
If the latter then yes.

What happens if two customers have the same network in their side?

One would have to nat his network.

Also if one new customer happends to have the same ipspan as me can I then add a new one as endpoint on my side and not mess up the other tunnels?

Either you or the remote needs to nat his subnet.

freddy550 · Mar 11, 2024, 2:45 PM

@viragomann If the network is nat:ed then I will loose the ability to log from who the traffic is coming from in the destination server, right ?

viragomann · Mar 11, 2024, 2:52 PM

@freddy550
No. Your IPSec configuration has to be aware of the NAT, otherwise it will not connect.

Imagine, the remote site is 192.168.20.0/24 and it is natted to 10.227.56.0/24. So your phase 2 has to use 10.227.56.0/24 as remote network to connect to.