Multiple IPSec with same remote subnets



  • I'm running multiple IPSec tunnels to various customers providing a SaaS based solution and for each new customer I create an additional vlan, set up the IPSec tunnel and map their network to our dedicated vlan where some services are running. Up until now we've been lucky because they all use different internal network addressing (what are the odds) so the set up is pretty straight forward.

    Next to the regular P1/P2 IPSec tunnel setup I also create a gateway & static route so I can ping from pfSense the remote P2 subnet, not really necessary but easy for some tasks.

    But what do I do when a new client has the same subnet as an existing one?
    Will the P1/P2 take care of the routing or do I need to apply a different configuration somehow?

    Thanks!



  • If you control the remote end, binat the incoming p2 to a unique subnet. That being said, if the duplicate remote networks are hitting different internal vlans/subnets, that will work. Static routes are unnecessary with traditional phase2 policy based IPSec. If you need to ping from the firewall itself, select the interface the p2 terminates on as the source.



  • @dotdash is right. If the other side has a matching network they have to configure a nat. Maybe have a look on this page. Its originally posted in german but maybe google translator works:
    https://translate.google.de/translate?hl=de&sl=de&tl=en&u=https%3A%2F%2Fsysadms.de%2F2018%2F09%2Fsite-to-site-ipsec-vpn-bei-gleichen-netzen%2F

    Kind regards